{"ip":"93.123.118.39","exported_at":"2026-07-18T06:19:19+00:00","period_days":7,"metrics":{"events7d":335,"distinct_ports":1,"distinct_classifications":3,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":46,"attack_stage":"probe","attack_chain_stage":"reconnaissance","threat_family":["network_service_scan"],"recommended_action":"monitor","confidence":0.77,"risk_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":30,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0001","top_mitre_count":191,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 45\/100","campaign_hint_fr":"Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)","confidence_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":30,"novelty":0,"risk_score":45,"correlation_boost":10},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["scan_coordonn\u00e9"],"correlation_flags_labels_fr":["Scan coordonn\u00e9"],"confidence_pct":77,"confidence_hint_fr":"Corr\u00e9lation +10","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0567","Upstream"],"tags_summary":["pat-0567","INT-upstream"],"attack_vector":"socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0005\u0001\u0000","port":1080,"service":"socks5","service_label_fr":"SOCKS5"},"protocol_summary_fr":"Payload \u0005\u0001 \u00b7 SOCKS5:1080","evidence_snippet":"\u0005\u0001","target_port_label":"1080 \u00b7 SOCKS5","emulator_service":"socks5","confidence_reason":"Confiance 67 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%","classification_reason_label_fr":"Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%","confidence_factors_fr":"Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10","payload_preview":"\u0005\u0001"},"events":[{"id":12726531,"ip":"93.123.118.39","ts":"2026-07-18 05:51:08.000000","proto":"tcp","src_port":52632,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 14, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12726528,"ip":"93.123.118.39","ts":"2026-07-18 05:51:01.000000","proto":"tcp","src_port":52432,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 14, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12726520,"ip":"93.123.118.39","ts":"2026-07-18 05:50:54.000000","proto":"tcp","src_port":59128,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 13, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12723696,"ip":"93.123.118.39","ts":"2026-07-18 05:16:29.000000","proto":"tcp","src_port":45602,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 4.632048827786958, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d75e24c5a576ed37196f35fc7edd2b56\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002260d0ad25903466ca1947e748217e7b50c8909526\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 104.21.40.244:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":64},{"id":12723694,"ip":"93.123.118.39","ts":"2026-07-18 05:16:27.000000","proto":"tcp","src_port":45554,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 4.800093945008263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d3bf7cd19e565c702214715bf1bf1eca\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022059c253399933912b002d700196062523054bc87\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":64},{"id":12723689,"ip":"93.123.118.39","ts":"2026-07-18 05:16:20.000000","proto":"tcp","src_port":45460,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 4.800093945008263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d3bf7cd19e565c702214715bf1bf1eca\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022059c253399933912b002d700196062523054bc87\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 172.67.140.99:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":64},{"id":12723684,"ip":"93.123.118.39","ts":"2026-07-18 05:16:16.000000","proto":"tcp","src_port":52624,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 69, \u0022payload_entropy\u0022: 4.564995565995301, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2875e36d72f192d3fc71a7c8c4e28b9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f161c96739b65cf8b6a836fb8926964bd6a731eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":69},{"id":12723674,"ip":"93.123.118.39","ts":"2026-07-18 05:16:11.000000","proto":"tcp","src_port":52562,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 69, \u0022payload_entropy\u0022: 4.564995565995301, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2875e36d72f192d3fc71a7c8c4e28b9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f161c96739b65cf8b6a836fb8926964bd6a731eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT tls.bunnyfeet.baby:443 HTTP\/1.1\\r\\nHost: tls.bunnyfeet.baby\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":69},{"id":12721793,"ip":"93.123.118.39","ts":"2026-07-18 04:50:09.000000","proto":"tcp","src_port":52736,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.778750577610725, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a13f72043705077ac555d8315431102a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002218d80987ee46fc817f5faac26c9330123a5cc3fa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":95},{"id":12721791,"ip":"93.123.118.39","ts":"2026-07-18 04:50:04.000000","proto":"tcp","src_port":52656,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.778750577610725, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a13f72043705077ac555d8315431102a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002218d80987ee46fc817f5faac26c9330123a5cc3fa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":95},{"id":12721788,"ip":"93.123.118.39","ts":"2026-07-18 04:49:59.000000","proto":"tcp","src_port":52098,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.778750577610725, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a13f72043705077ac555d8315431102a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002218d80987ee46fc817f5faac26c9330123a5cc3fa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:7000 HTTP\/1.1\\r\\nHost: 51.222.140.50:7000\\r\\nProxy-Connection: Keep-Alive\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":95},{"id":12720952,"ip":"93.123.118.39","ts":"2026-07-18 04:37:45.000000","proto":"tcp","src_port":43456,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.734055334713576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227010fdad0a7612b6fd7c8f9e4878ca5b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f827346ae2af9c122b1f5f0c8b413b4573c959b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12720947,"ip":"93.123.118.39","ts":"2026-07-18 04:37:40.000000","proto":"tcp","src_port":43344,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.822922673493043, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b869f934f5a2769a626751f1e2ef38d3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002272610a648370d8d3e3df69d5aaa55216938b98f2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.195.40.238:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12720946,"ip":"93.123.118.39","ts":"2026-07-18 04:37:37.000000","proto":"tcp","src_port":51334,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.734055334713576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227010fdad0a7612b6fd7c8f9e4878ca5b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f827346ae2af9c122b1f5f0c8b413b4573c959b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12720941,"ip":"93.123.118.39","ts":"2026-07-18 04:37:32.000000","proto":"tcp","src_port":51204,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 62, \u0022payload_entropy\u0022: 4.734055334713576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227010fdad0a7612b6fd7c8f9e4878ca5b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f827346ae2af9c122b1f5f0c8b413b4573c959b6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 51.222.140.50:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":62},{"id":12720939,"ip":"93.123.118.39","ts":"2026-07-18 04:37:31.000000","proto":"tcp","src_port":51186,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 66, \u0022payload_entropy\u0022: 4.564867748271415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226a2ee3d88dc3b8819168dd881bf5ab00\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b86392f44acb421cfc751d3f47c0228cc06edfbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":66},{"id":12720930,"ip":"93.123.118.39","ts":"2026-07-18 04:37:25.000000","proto":"tcp","src_port":51756,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 66, \u0022payload_entropy\u0022: 4.564867748271415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226a2ee3d88dc3b8819168dd881bf5ab00\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b86392f44acb421cfc751d3f47c0228cc06edfbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":66},{"id":12720922,"ip":"93.123.118.39","ts":"2026-07-18 04:37:19.000000","proto":"tcp","src_port":36322,"dst_port":1080,"service":"socks5","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 66, \u0022payload_entropy\u0022: 4.564867748271415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207f7e2e20e6c76d559c43341602cf94694f86ff5\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226a2ee3d88dc3b8819168dd881bf5ab00\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b86392f44acb421cfc751d3f47c0228cc06edfbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT we-love-the.world:80 HTTP\/1.1\\r\\nHost: we-love-the.world\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":66},{"id":12719554,"ip":"93.123.118.39","ts":"2026-07-18 04:17:09.000000","proto":"tcp","src_port":36038,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12719551,"ip":"93.123.118.39","ts":"2026-07-18 04:17:03.000000","proto":"tcp","src_port":35936,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12719550,"ip":"93.123.118.39","ts":"2026-07-18 04:16:58.000000","proto":"tcp","src_port":42014,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022], \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12718767,"ip":"93.123.118.39","ts":"2026-07-18 04:02:17.000000","proto":"tcp","src_port":35614,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12718763,"ip":"93.123.118.39","ts":"2026-07-18 04:02:12.000000","proto":"tcp","src_port":35538,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12718761,"ip":"93.123.118.39","ts":"2026-07-18 04:02:06.000000","proto":"tcp","src_port":60524,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022271d05a6cd2323b9ac63bce8f3ac33332ef07649\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0567\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d80e8fd6254a8b4da743f53b12e94ed91fca06d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 7, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_greeting\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":12717117,"ip":"93.123.118.39","ts":"2026-07-18 03:43:36.000000","proto":"tcp","src_port":43530,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.5183317139332795, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002274df7e49f8c4c6183c0d12eea5e39bdc\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022faccefe49e9b9f439169ab4842bcc5570a1e461e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_19838ed5f73abdea HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717116,"ip":"93.123.118.39","ts":"2026-07-18 03:43:34.000000","proto":"tcp","src_port":43488,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.524349057462668, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b37ecbd9e69cfac4d8aee09b91a87046\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002224731aaa3482f9ca91a7f97d4a8385f5915931fd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_fd4a91b18359641e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717115,"ip":"93.123.118.39","ts":"2026-07-18 03:43:31.000000","proto":"tcp","src_port":43442,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.531790238280433, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002210b807480d51a8edd7d4d517acb692d4\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002243d0f229693f71d79f05aa6b340ba9f03be42f40\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_c718da2f2a71d35a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717114,"ip":"93.123.118.39","ts":"2026-07-18 03:43:29.000000","proto":"tcp","src_port":43366,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.522098094504067, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022547deffadf7218c1d0b7166da6ca4a02\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227446e816b2060083995b06aba43f6adc4c65b376\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_35b74c4ca5052d3a HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717110,"ip":"93.123.118.39","ts":"2026-07-18 03:43:27.000000","proto":"tcp","src_port":54514,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.492269883407031, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f9906a529158f1f4663387387a772d55\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022150d7793c39dfdd44c0d155c7e3e7dba0f7ee30c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_9da7d0ab11edaeeb HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717111,"ip":"93.123.118.39","ts":"2026-07-18 03:43:27.000000","proto":"tcp","src_port":54540,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.533301900214724, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fbf989e12be0d95af847b5d3fa2ecef6\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022412ae5abcc413db4628fd62c95eb6fc5af97b0eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_c9057877280fe990 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717105,"ip":"93.123.118.39","ts":"2026-07-18 03:43:25.000000","proto":"tcp","src_port":54458,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.506235102402865, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228e894272bb63170798877b667db4eda3\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002268ef49e9585b56194bf3f91cd7842e2ed2589d17\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_0ce3b0f0355337c6 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717103,"ip":"93.123.118.39","ts":"2026-07-18 03:43:23.000000","proto":"tcp","src_port":54434,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.5140822648309475, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d6f5ba2702b60afbd937feab90eb4d2d\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d339fc7cf73b9c6f6923d12c0f0002cb813e6823\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_49005a7cfcdbd65e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717102,"ip":"93.123.118.39","ts":"2026-07-18 03:43:21.000000","proto":"tcp","src_port":54332,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.521106586853185, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002295c0ec1d7e4d8c0412597f46d954cd81\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227b3d1665898e5a7f11e59c7f6ef0cf3b05e1b17d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_2e9d8602ac02c46e HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12717101,"ip":"93.123.118.39","ts":"2026-07-18 03:43:19.000000","proto":"tcp","src_port":60700,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 410, \u0022payload_entropy\u0022: 5.5523674145483275, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002225a6a49bebe7fa380314a2d12a652d37\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022request_sample\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002210972b2d97db66d963339f968272e6a7647b8a70\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_f8c752793038d882 HTTP\/1.1\\r\\nHost: raw.bunnyfeet.baby\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":410},{"id":12716722,"ip":"93.123.118.39","ts":"2026-07-18 03:36:52.000000","proto":"tcp","src_port":48886,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa7aa61033535afa526dd888eb4db7dc\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220dc89c1c81003537abba78ad789d4fa8af9a70ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12716720,"ip":"93.123.118.39","ts":"2026-07-18 03:36:49.000000","proto":"tcp","src_port":55766,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ea9fdabe5c0655ede7326703b196bd27\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa9543447a931ab2dc79f0913f2846c67fac90d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12716718,"ip":"93.123.118.39","ts":"2026-07-18 03:36:45.000000","proto":"tcp","src_port":55670,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa7aa61033535afa526dd888eb4db7dc\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220dc89c1c81003537abba78ad789d4fa8af9a70ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\u078c2\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\u078c2\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12716713,"ip":"93.123.118.39","ts":"2026-07-18 03:36:43.000000","proto":"tcp","src_port":55606,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ea9fdabe5c0655ede7326703b196bd27\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa9543447a931ab2dc79f0913f2846c67fac90d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd3\ufffd(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd3\ufffd(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 12, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12715442,"ip":"93.123.118.39","ts":"2026-07-18 03:18:51.000000","proto":"tcp","src_port":43212,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022deab96328757c57430c3da1064ee2174\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b68b7b0b4fcdefd18a1de6a9fca01ccf71fe94d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdh(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdh(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12715439,"ip":"93.123.118.39","ts":"2026-07-18 03:18:49.000000","proto":"tcp","src_port":36004,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022df8005337761b32b101374e3ff5ece90\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226054d7b182669d0ab565897d18912c9fe97d22bf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\ufffdc\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\ufffdc\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12715436,"ip":"93.123.118.39","ts":"2026-07-18 03:18:45.000000","proto":"tcp","src_port":35894,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022deab96328757c57430c3da1064ee2174\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b68b7b0b4fcdefd18a1de6a9fca01ccf71fe94d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdh(\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffdh\\u0015(\ufffd\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdh(\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12715434,"ip":"93.123.118.39","ts":"2026-07-18 03:18:43.000000","proto":"tcp","src_port":35798,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 2.94770277922009, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eeb646493d71d6f8d5cef82f140f8a6db3b63378\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022df8005337761b32b101374e3ff5ece90\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226054d7b182669d0ab565897d18912c9fe97d22bf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\ufffdc\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0001\ufffd\ufffdC\ufffdc\\u0000\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdC\ufffdc\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks4_greeting\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":9},{"id":12715364,"ip":"93.123.118.39","ts":"2026-07-18 03:17:29.000000","proto":"tcp","src_port":55590,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.507828249123603, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222c6cd71146092b336b135890e082cfbe\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c634e107d403d2faea8e572c1399b88d9b6577a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_50864b86ab679a09 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715362,"ip":"93.123.118.39","ts":"2026-07-18 03:17:27.000000","proto":"tcp","src_port":55530,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.518685845155713, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bdfebe233c38dc3ff1e160a1262be2fd\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ba09d9fcaa93310d87ee77426a6289cc601cd416\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_ff56edbf3db37323 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715360,"ip":"93.123.118.39","ts":"2026-07-18 03:17:24.000000","proto":"tcp","src_port":55458,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.518320640778083, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022130948de6f9d55436fba4947feffe4c8\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228fcffa242cb94e63ef8f7b28f3775cdceb2a6fab\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_c907db07a5457223 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715359,"ip":"93.123.118.39","ts":"2026-07-18 03:17:22.000000","proto":"tcp","src_port":55396,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.503839800998554, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bc041ead46ce970d2bc21c4c689a7bec\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002265ad8729752f367cf73b7c0b1836eb06f974c9a7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_1ce2b12ebb99ebff HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 9, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715357,"ip":"93.123.118.39","ts":"2026-07-18 03:17:20.000000","proto":"tcp","src_port":55370,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.513386233911118, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c10d88e4cf538ba00b2911f4c9a601e4\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022298fcbf679be610a5f86f8e08b3b5bd27626794b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_96d4166bd9e18bf5 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715358,"ip":"93.123.118.39","ts":"2026-07-18 03:17:20.000000","proto":"tcp","src_port":55376,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.494095533372807, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227103def841d4a787de9c9d816652c816\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc68b7aed4f27f2261138f892dc3588f4bfadba9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_4f90e3cebbd469a3 HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715351,"ip":"93.123.118.39","ts":"2026-07-18 03:17:18.000000","proto":"tcp","src_port":34906,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.501660052171726, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223523d0646e8227738397878a07e7ff89\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002280555534458869957cac74be346aa83a5cd25d56\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_d8ba1391f602a0ca HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 10, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409},{"id":12715350,"ip":"93.123.118.39","ts":"2026-07-18 03:17:16.000000","proto":"tcp","src_port":34878,"dst_port":1080,"service":"socks5","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.497521496722348, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 209630, \u0022country\u0022: \u0022BG\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022892854ad827f8428eaa0a7a548d1a6e5292ab14e\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BG\u0022, \u0022asn\u0022: 209630, \u0022org\u0022: \u0022LLC Vash Kredit Bank\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022099495d01bf1ba677fd0553271c06078\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022payload_snippet\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226eb08528ad05b655af971bd52e2d1200876fbb7d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via SOCKS5 \u2014 campagne \/24 (93.123.118.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via SOCKS5:1080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/check_c6485ed18640ba0d HTTP\/1.1\\r\\nHost: we-love-the.world\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (93.123.118.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u002293.123.118.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":409}],"total_events":335}