{"ip":"94.154.43.36","exported_at":"2026-07-18T21:15:05+00:00","period_days":30,"metrics":{"events7d":52,"distinct_ports":51,"distinct_classifications":10,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":57,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":72,"classification":84,"behavior":0,"geo":0,"protocol":35,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"T1083","top_mitre_count":56,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":72,"classification":84,"behavior":0,"geo":0,"protocol":35,"novelty":15,"risk_score":53},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0088","pat-0103"],"tags_summary":["pat-0088","pat-0103"],"attack_vector":"lfi php wrapper \u00b7 via HTTP:5 \u00b7 (tentative d\u0027exploit)","protocol_details":{"http_method":"GET","http_path":"\/","request_line":"GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","port":5,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/ \u00b7 UA Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u2026 \u00b7 HTTP:5","evidence_snippet":"GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\r\nHost: 146.56.180.42:3333\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe","target_port_label":"5 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF","classification_reason":"Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF","payload_preview":"GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\r\nHost: 146.56.180.42:3333\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe"},"events":[{"id":12805201,"ip":"94.154.43.36","ts":"2026-07-18 19:52:46.000000","proto":"tcp","src_port":52768,"dst_port":5,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002218d1fe020b379054d4151521f0e88a1480aed263\u0022, \u0022event_fingerprint\u0022: \u002203d5b28c8707ea65fdd3eaa027e12bd980281cb0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a0b80e04e289d95d6233f314bf908d28ce93e5e1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 5, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:5 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 5, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:5 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00225 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12792227,"ip":"94.154.43.36","ts":"2026-07-18 17:11:53.000000","proto":"tcp","src_port":40440,"dst_port":4,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 4, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223e2a13c28bd0ff76e9ab65418d4d1f301791dac4\u0022, \u0022event_fingerprint\u0022: \u002244f8214fb88bc5963cef9af7bd70bcbf1750c374\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a1cfc128d52c24e068dba7b080bbac7664fa4f9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 4, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:4 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00224 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 4, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:4 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00224 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12781919,"ip":"94.154.43.36","ts":"2026-07-18 13:57:44.000000","proto":"tcp","src_port":49648,"dst_port":3,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002213931841fe470fd0dea19f04ac110e7c1c3f3fd7\u0022, \u0022event_fingerprint\u0022: \u0022ac792ce0c580cfb87350d2ae4df467c52b3b0a1c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002231ce7042a596d4c49ce4b86e7a45a4b8dd5643ce\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 3, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:3 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 3, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:3 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00223 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12768824,"ip":"94.154.43.36","ts":"2026-07-18 10:57:53.000000","proto":"tcp","src_port":39300,"dst_port":2,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 2, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002297c788fe2046c9177aa609aefa38e644fbf19224\u0022, \u0022event_fingerprint\u0022: \u00224365128f1bc2a64805a2fea94888173cacbf9658\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022463f464d9022aafa23430344cb5bd614742e6792\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 2, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:2 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00222 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 2, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:2 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00222 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12743105,"ip":"94.154.43.36","ts":"2026-07-18 09:38:11.000000","proto":"tcp","src_port":56648,"dst_port":1,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a8663703fe001128f7b1b889b4b5972d11653ea7\u0022, \u0022event_fingerprint\u0022: \u0022e56b0b4921ba118aa2d5843e4a4b76ff5c73e4d9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ab63d2c40c94c1f786d75b7b7a8990b64adcd45c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 1, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:1 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 1, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:1 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00221 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12647409,"ip":"94.154.43.36","ts":"2026-07-17 08:16:19.000000","proto":"tcp","src_port":53194,"dst_port":31280,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 31280, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d83885a8122f45fec6735e923ad940d141172add\u0022, \u0022event_fingerprint\u0022: \u0022b08c631765b480cace197c04afed9031e5469bf7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31280, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220f7fc371040ae98378051a8d9cee8c88ca3ebc8a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 31280, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:31280 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002231280 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 31280, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 31280, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:31280 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002231280 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231280\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12644347,"ip":"94.154.43.36","ts":"2026-07-17 07:10:29.000000","proto":"tcp","src_port":49916,"dst_port":30000,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 30000, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d9a9143bd8159e7c6edec7f2b6e606442c1b3b95\u0022, \u0022event_fingerprint\u0022: \u0022b7ecfe75b98982857662119cc0c9da5b6268c171\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 30000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228931f0e4736a92dc1d38813f5bee0f823dfdc2ea\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 30000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:30000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002230000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 30000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 30000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:30000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002230000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002230000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12619735,"ip":"94.154.43.36","ts":"2026-07-17 05:10:16.000000","proto":"tcp","src_port":35598,"dst_port":28081,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 28081, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d66f0a86cd71b447f33a9e8b7f230c98b6346cd6\u0022, \u0022event_fingerprint\u0022: \u00225919c41fa4908732de473a15fa00ab321d6b639e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209005494e274b7ef2ed9edfa1de42eb3d681d631\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 28081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:28081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 28081, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 28081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:28081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12612871,"ip":"94.154.43.36","ts":"2026-07-17 02:12:11.000000","proto":"tcp","src_port":44964,"dst_port":28080,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 28080, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221b0f3d0286365f9004137d082889000a12d24039\u0022, \u0022event_fingerprint\u0022: \u0022e9321a80ddf96fb7f2ea3e5126208a8c8a70d68d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e0b8b829795f00b6cfb4350d3b71f236ce0d828\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 28080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:28080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 28080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 28080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:28080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12608102,"ip":"94.154.43.36","ts":"2026-07-17 00:03:54.000000","proto":"tcp","src_port":45790,"dst_port":21000,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 21000, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229355285ccce64791bf98d4b354e9a25952bf108e\u0022, \u0022event_fingerprint\u0022: \u00223fff88167b0225ae7c21ef563912e05793622ff6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 21000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022740daba5a63e34cd8f483d8b935f8b468a36031d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 21000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:21000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002221000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 21000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 21000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:21000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002221000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002221000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12554309,"ip":"94.154.43.36","ts":"2026-07-16 20:03:11.000000","proto":"tcp","src_port":44298,"dst_port":20000,"service":"dnp3-tcp","classification":"dnp3_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002205000000000000000000\u0022, \u0022emulator_response_len\u0022: 10, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022dnp3-tcp\u0022, \u0022app_proto\u0022: \u0022dnp3-tcp\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 20000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002267d5ed702c403ab762e96fe67e73daf21881a1e2\u0022, \u0022event_fingerprint\u0022: \u002214eebf67fd895c508f4342c40cf9531e8f997d62\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 157, \u0022precision_signals\u0022: [\u0022INT-OT-dnp3-unauth\u0022, \u0022INT-OT-dnp3-variants\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-OT-dnp3-unauth\u0022, \u0022INT-OT-dnp3-variants\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022dnp3-tcp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022859b07b9d78548343d57aca7faf5fc6a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 20000, \u0022service\u0022: \u0022dnp3-tcp\u0022, \u0022service_name\u0022: \u0022dnp3-tcp\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T0836\u0022], \u0022mitre\u0022: \u0022T0836\u0022, \u0022threat_family\u0022: [\u0022ics_probe\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220bc90d9dccf985691ffcd49e9861b8314dad70fb\u0022, \u0022protocol_details\u0022: {\u0022dnp3_probe_fr\u0022: \u0022Sonde DNP3 (SCADA \u00e9nergie)\u0022, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 20000, \u0022service\u0022: \u0022dnp3-tcp\u0022, \u0022service_label_fr\u0022: \u0022DNP3 TCP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022dnp3 probe \u00b7 via DNP3 TCP:20000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002220000 \u00b7 DNP3 TCP\u0022, \u0022emulator_service\u0022: \u0022dnp3-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022dnp3-tcp\u0022, \u0022service_label_fr\u0022: \u0022DNP3 TCP\u0022, \u0022dst_port\u0022: 20000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-OT-dnp3-unauth\u0022, \u0022INT-OT-dnp3-variants\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Ot Dnp3 Unauth\u0022, \u0022Ot Dnp3 Variants\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T0836\u0022, \u0022mitre_technique\u0022: \u0022T0836\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-dnp3-tcp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022dnp3_probe_fr\u0022: \u0022Sonde DNP3 (SCADA \u00e9nergie)\u0022, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 20000, \u0022service\u0022: \u0022dnp3-tcp\u0022, \u0022service_label_fr\u0022: \u0022DNP3 TCP\u0022}, \u0022attack_vector\u0022: \u0022dnp3 probe \u00b7 via DNP3 TCP:20000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002220000 \u00b7 DNP3 TCP\u0022, \u0022emulator_service\u0022: \u0022dnp3-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022dnp3_tcp\u0022, \u0022service_banner\u0022: \u0022honeypot-dnp3-tcp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002220000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022dnp3_emulated\u0022, \u0022dnp3_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_dnp3_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022dnp3_emulated\u0022, \u0022dnp3_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_dnp3_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":12542434,"ip":"94.154.43.36","ts":"2026-07-16 17:27:26.000000","proto":"tcp","src_port":38358,"dst_port":18080,"service":"monero-p2p","classification":"monero_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002201110101010101010000000000000000\u0022, \u0022emulator_response_len\u0022: 16, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022monero-p2p\u0022, \u0022app_proto\u0022: \u0022monero-p2p\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 18080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 53.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 53.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223f143756998a97e0bc85f4bd3fb2809e12e8697c\u0022, \u0022event_fingerprint\u0022: \u00229805bd2d8e2babb93b4750898ffa60f92edfba86\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab monero_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 53.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022monero-p2p\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00228f5f48fae11b9586096853e48ad6d2da\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 18080, \u0022service\u0022: \u0022monero-p2p\u0022, \u0022service_name\u0022: \u0022monero-p2p\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab monero_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c9e1a9a590d5264506aab671ed4ca0026036b747\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 18080, \u0022service\u0022: \u0022monero-p2p\u0022, \u0022service_label_fr\u0022: \u0022MONERO P2P\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022monero probe \u00b7 via MONERO P2P:18080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002218080 \u00b7 MONERO P2P\u0022, \u0022emulator_service\u0022: \u0022monero-p2p\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab monero_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab monero_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 53.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022monero-p2p\u0022, \u0022service_label_fr\u0022: \u0022MONERO P2P\u0022, \u0022dst_port\u0022: 18080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-monero-p2p\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 18080, \u0022service\u0022: \u0022monero-p2p\u0022, \u0022service_label_fr\u0022: \u0022MONERO P2P\u0022}, \u0022attack_vector\u0022: \u0022monero probe \u00b7 via MONERO P2P:18080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002218080 \u00b7 MONERO P2P\u0022, \u0022emulator_service\u0022: \u0022monero-p2p\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022monero_p2p\u0022, \u0022service_banner\u0022: \u0022honeypot-monero-p2p\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002218080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022monero_p2p_emulated\u0022, \u0022monero_p2p_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_monero_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022monero_p2p_emulated\u0022, \u0022monero_p2p_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_monero_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":12528951,"ip":"94.154.43.36","ts":"2026-07-16 15:12:32.000000","proto":"tcp","src_port":36346,"dst_port":10888,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 10888, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228a1e94b46593b5fcc23dc47483d5f48a81e810a0\u0022, \u0022event_fingerprint\u0022: \u00227ed3bda1f4269be57c9310d92f78b18ac506d9f5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002258773a72cfab371fe59054000f764c49dc7ec23e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10888 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10888, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10888 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002210888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12512043,"ip":"94.154.43.36","ts":"2026-07-16 13:01:52.000000","proto":"tcp","src_port":37698,"dst_port":10810,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 10810, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002224236112231e99ccabc170b3fb454187cf58668b\u0022, \u0022event_fingerprint\u0022: \u00221198e870fcd712e382857d0d471b5b89f429a83c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10810, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002273240c65df8675748b785682fc97eb02538d6e53\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10810, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10810 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210810 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10810, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10810, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10810 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002210810 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210810\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12477812,"ip":"94.154.43.36","ts":"2026-07-16 11:09:18.000000","proto":"tcp","src_port":46602,"dst_port":10809,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 10809, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228e6c78ff3d0e76b0d3242ca4022b0d3dcf0772be\u0022, \u0022event_fingerprint\u0022: \u00226913cee4f3b9615a9efeb8f49fdecd9ed694c49b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10809, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c1f148f393fdee536db16203ea8b7ec144eb8374\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10809, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10809 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210809 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10809, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10809, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10809 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002210809 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210809\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12428716,"ip":"94.154.43.36","ts":"2026-07-16 06:49:51.000000","proto":"tcp","src_port":55924,"dst_port":10808,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 10808, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229710d58291bfc731243de9703975eb5f17e2b05c\u0022, \u0022event_fingerprint\u0022: \u00226e15eb88d2db3a2923cfcf0866484934a0cb6d2a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10808, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d2ca053e799f18b9bf2f5203a33aa8a14b466a2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10808, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10808 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210808 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10808, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10808, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10808 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002210808 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210808\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12357623,"ip":"94.154.43.36","ts":"2026-07-16 02:37:35.000000","proto":"tcp","src_port":56338,"dst_port":10001,"service":"memcached-alt","classification":"mozi_pattern","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 82.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 36, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022762d384fab941f6d0c2239f19994f30e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 36}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a4d88fa1644ad3e4e6ffe95e81a95696c9d79a4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via MEMCACHED ALT:10001 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 36\/100 (Faible) \u2014 MITRE TA0011 \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 36, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via MEMCACHED ALT:10001 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12301698,"ip":"94.154.43.36","ts":"2026-07-15 23:21:25.000000","proto":"tcp","src_port":38490,"dst_port":10000,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e\u0022, \u0022emulator_response_len\u0022: 126, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 10000, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226311be7797eb29129c1f53ec798a7409b3656798\u0022, \u0022event_fingerprint\u0022: \u0022b1012fc9cd3736ced13bdb58824fecc09d0e4d89\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002263a175110451744e7cf51f4292ce1687cbc7ecd8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 10000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:10000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u002210000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12280917,"ip":"94.154.43.36","ts":"2026-07-15 21:51:58.000000","proto":"tcp","src_port":55778,"dst_port":9999,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9999, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022909ffbce896e6827a68d9a2fbf0516d5d19d4d16\u0022, \u0022event_fingerprint\u0022: \u00225c1b873ec4349174162e575198764af025350ad2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9999, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002250c6b17557ef04996be658964a3464585498e7d2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9999, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9999 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229999 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9999, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9999, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9999 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229999 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229999\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12218518,"ip":"94.154.43.36","ts":"2026-07-15 19:18:38.000000","proto":"tcp","src_port":59816,"dst_port":9998,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9998, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bd7e734d607d0b0d258462034c12919cc6422244\u0022, \u0022event_fingerprint\u0022: \u00229f401cdff60a9569cd2a39ca4f030c675670377e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9998, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b54e16644cafb8632be5823a3158f789a376b7b2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9998, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9998 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229998 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9998, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9998, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9998 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229998 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229998\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12204433,"ip":"94.154.43.36","ts":"2026-07-15 16:31:54.000000","proto":"tcp","src_port":53600,"dst_port":9444,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9444, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002213e5d27e059110a88caf53a0e8dab01d8963883b\u0022, \u0022event_fingerprint\u0022: \u0022185cc1002c516857ee2d9a9521d5d4619caeaedd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9444, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225220dad0780d35c6084ba1f9153f8a89f1de4fab\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9444, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9444 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229444 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9444, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9444, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9444 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229444 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229444\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12182271,"ip":"94.154.43.36","ts":"2026-07-15 10:03:14.000000","proto":"tcp","src_port":58732,"dst_port":9200,"service":"elasticsearch","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002259accf9df27654494a9d090283b1b0e6caab54f0\u0022, \u0022event_fingerprint\u0022: \u0022e3c47dd9b7b82df58f785f8ecdc12ea32d109f12\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b3358d13e45a258deee15a449871cce802a2bbd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022elasticsearch_probe_fr\u0022: \u0022Requ\u00eate Elasticsearch : http:\/\/146.56.180.42:3333\/\u0022, \u0022port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_label_fr\u0022: \u0022ELASTICSEARCH\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229200 \u00b7 ELASTICSEARCH\u0022, \u0022emulator_service\u0022: \u0022elasticsearch\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via ELASTICSEARCH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022service_label_fr\u0022: \u0022ELASTICSEARCH\u0022, \u0022dst_port\u0022: 9200, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022elasticsearch_probe_fr\u0022: \u0022Requ\u00eate Elasticsearch : http:\/\/146.56.180.42:3333\/\u0022, \u0022port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_label_fr\u0022: \u0022ELASTICSEARCH\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229200 \u00b7 ELASTICSEARCH\u0022, \u0022emulator_service\u0022: \u0022elasticsearch\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_elasticsearch_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_elasticsearch_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12157871,"ip":"94.154.43.36","ts":"2026-07-15 07:53:48.000000","proto":"tcp","src_port":41486,"dst_port":9098,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9098, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225eb49766a97ce853e362e81f373d2ed9346353fa\u0022, \u0022event_fingerprint\u0022: \u002279ca86b8579ba1885111ae1ab139d5dd6e5dde39\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9098, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213aaaef33f09cb6bad228ddf250a7c715fa788b2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9098, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9098 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229098 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9098, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9098, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9098 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229098 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229098\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12097255,"ip":"94.154.43.36","ts":"2026-07-15 05:49:48.000000","proto":"tcp","src_port":59816,"dst_port":9095,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9095, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d67563b42936bbb1070c5212ddd13614b5febbfa\u0022, \u0022event_fingerprint\u0022: \u0022d3a0cc419e855b738de1e015f233426e8c7b7b9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9095, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c4e2830d2e7adbd3091236e7bf3ec0fdb197516f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9095, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9095 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229095 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9095, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9095, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9095 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229095 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229095\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12054930,"ip":"94.154.43.36","ts":"2026-07-15 03:04:13.000000","proto":"tcp","src_port":45352,"dst_port":9093,"service":"kafka-controller","classification":"mozi_pattern","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206b61666b615f636f6e74726f6c6c657220726561647920706f72743d393039330d0a\u0022, \u0022emulator_response_len\u0022: 47, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022app_proto\u0022: \u0022kafka-controller\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9093, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 82.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 36, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bc506c5ae586b69e42c2c63a778317653530392f\u0022, \u0022event_fingerprint\u0022: \u00226a387fe1f46a5b5fc49adc452ec81927df9a3c74\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022762d384fab941f6d0c2239f19994f30e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022risk_score\u0022: 36}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b7262938b86e9716d108679adc658ad285b632ae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via KAFKA CONTROLLER:9093 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u00229093 \u00b7 KAFKA CONTROLLER\u0022, \u0022emulator_service\u0022: \u0022kafka-controller\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 36\/100 (Faible) \u2014 MITRE TA0011 \u2014 via KAFKA CONTROLLER\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 36, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022, \u0022dst_port\u0022: 9093, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-kafka-controller\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022}, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via KAFKA CONTROLLER:9093 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229093 \u00b7 KAFKA CONTROLLER\u0022, \u0022emulator_service\u0022: \u0022kafka-controller\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022kafka_controller\u0022, \u0022service_banner\u0022: \u0022honeypot-kafka-controller\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229093\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":12010529,"ip":"94.154.43.36","ts":"2026-07-15 00:46:07.000000","proto":"tcp","src_port":55478,"dst_port":9092,"service":"kafka","classification":"kafka_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220000000c6874747000000001000b0000\u0022, \u0022emulator_response_len\u0022: 16, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022kafka\u0022, \u0022app_proto\u0022: \u0022kafka\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9092, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 29, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e01b552454505be503d90db40228a654afb5a89b\u0022, \u0022event_fingerprint\u0022: \u0022c474d9c3f8c0776c7c96d4f25d2b0651552d8fad\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 29}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022kafka\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022369bfdf011acc5969bcb68a7ffd2ca13\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9092, \u0022service\u0022: \u0022kafka\u0022, \u0022service_name\u0022: \u0022kafka\u0022, \u0022risk_score\u0022: 29}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002281720e3e3123c1efc99b5d0008e724b23944ff17\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9092, \u0022service\u0022: \u0022kafka\u0022, \u0022service_label_fr\u0022: \u0022KAFKA\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via KAFKA:9092 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229092 \u00b7 KAFKA\u0022, \u0022emulator_service\u0022: \u0022kafka\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 29}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 29, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022kafka\u0022, \u0022service_label_fr\u0022: \u0022KAFKA\u0022, \u0022dst_port\u0022: 9092, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-kafka\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9092, \u0022service\u0022: \u0022kafka\u0022, \u0022service_label_fr\u0022: \u0022KAFKA\u0022}, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via KAFKA:9092 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229092 \u00b7 KAFKA\u0022, \u0022emulator_service\u0022: \u0022kafka\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022kafka\u0022, \u0022service_banner\u0022: \u0022honeypot-kafka\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229092\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022kafka_api_versions\u0022, \u0022kafka_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_kafka_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022kafka_api_versions\u0022, \u0022kafka_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_kafka_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":11999694,"ip":"94.154.43.36","ts":"2026-07-14 22:34:45.000000","proto":"tcp","src_port":33594,"dst_port":9091,"service":"kafka-jmx","classification":"mozi_pattern","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206b61666b615f6a6d7820726561647920706f72743d393039310d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022kafka-jmx\u0022, \u0022app_proto\u0022: \u0022kafka-jmx\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9091, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 82.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 36, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228285524097faf336ade37e814a5f2e86d0864867\u0022, \u0022event_fingerprint\u0022: \u0022971ef2e8331e408f981a3d06d9f2f0499dd5d0ba\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022kafka-jmx\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022762d384fab941f6d0c2239f19994f30e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9091, \u0022service\u0022: \u0022kafka-jmx\u0022, \u0022service_name\u0022: \u0022kafka-jmx\u0022, \u0022risk_score\u0022: 36}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5e0c21730226bd8e4d4df4f681c5aeefbb351bc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9091, \u0022service\u0022: \u0022kafka-jmx\u0022, \u0022service_label_fr\u0022: \u0022KAFKA JMX\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via KAFKA JMX:9091 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u00229091 \u00b7 KAFKA JMX\u0022, \u0022emulator_service\u0022: \u0022kafka-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 36\/100 (Faible) \u2014 MITRE TA0011 \u2014 via KAFKA JMX\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 36, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022kafka-jmx\u0022, \u0022service_label_fr\u0022: \u0022KAFKA JMX\u0022, \u0022dst_port\u0022: 9091, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-kafka-jmx\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9091, \u0022service\u0022: \u0022kafka-jmx\u0022, \u0022service_label_fr\u0022: \u0022KAFKA JMX\u0022}, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via KAFKA JMX:9091 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229091 \u00b7 KAFKA JMX\u0022, \u0022emulator_service\u0022: \u0022kafka-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022kafka_jmx\u0022, \u0022service_banner\u0022: \u0022honeypot-kafka-jmx\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229091\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11970740,"ip":"94.154.43.36","ts":"2026-07-14 19:25:38.000000","proto":"tcp","src_port":59204,"dst_port":9090,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221ffa498ef759401d14a0f170b28692ad943c3d48\u0022, \u0022event_fingerprint\u0022: \u002268607a64961be6dfc822cd758507df8611963678\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228698435d1576c7b51629e1c6223678f709894d2b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9090 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9090 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11942611,"ip":"94.154.43.36","ts":"2026-07-14 15:28:40.000000","proto":"tcp","src_port":54514,"dst_port":9081,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9081, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b9b1bc76c758f6be3483e5f933c0aea7ae5e5d30\u0022, \u0022event_fingerprint\u0022: \u00220595ba0b44e8ca5e690dc6d0485de59d533d0791\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d47b7a7e57c45c4ca4d810a1c5b90b234ef4a20d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9081, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11938074,"ip":"94.154.43.36","ts":"2026-07-14 14:53:50.000000","proto":"tcp","src_port":60152,"dst_port":9080,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f0773aabd0dab6de0a8f7bf7b035262b831be99f\u0022, \u0022event_fingerprint\u0022: \u0022c636809ca568b4c3936837e2c7136e57ebc41d14\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227c9f258e7a25ddd637588f9f22fc5ac4b1a3e4ec\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11890581,"ip":"94.154.43.36","ts":"2026-07-14 10:42:38.000000","proto":"tcp","src_port":53242,"dst_port":9060,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9060, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022764f79636a16de11e592688eee22256e0c237234\u0022, \u0022event_fingerprint\u0022: \u002244a2b215dce7c119b32dd9fa349b37ac10aed473\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9060, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022093abd3e58cc78ec36539bcee4f98c61c44dae87\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9060, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229060 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9060, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9060, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229060 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11860945,"ip":"94.154.43.36","ts":"2026-07-14 08:27:10.000000","proto":"tcp","src_port":39624,"dst_port":9050,"service":"tor-socks","classification":"mozi_pattern","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420746f725f736f636b7320726561647920706f72743d393035300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022tor-socks\u0022, \u0022app_proto\u0022: \u0022tor-socks\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 82.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1ada5efceffa1e87a9da9e8f9e347363c0ff8e1\u0022, \u0022event_fingerprint\u0022: \u002283b7d2a8aa1dd392390bb8533ec0659ebf12f22c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tor-socks\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022762d384fab941f6d0c2239f19994f30e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9050, \u0022service\u0022: \u0022tor-socks\u0022, \u0022service_name\u0022: \u0022tor-socks\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002298ca894ce52e34ec653d28d51066c8afcb207e86\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9050, \u0022service\u0022: \u0022tor-socks\u0022, \u0022service_label_fr\u0022: \u0022TOR SOCKS\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via TOR SOCKS:9050 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u00229050 \u00b7 TOR SOCKS\u0022, \u0022emulator_service\u0022: \u0022tor-socks\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 38\/100 (Faible) \u2014 MITRE TA0011 \u2014 via TOR SOCKS\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tor-socks\u0022, \u0022service_label_fr\u0022: \u0022TOR SOCKS\u0022, \u0022dst_port\u0022: 9050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tor-socks\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9050, \u0022service\u0022: \u0022tor-socks\u0022, \u0022service_label_fr\u0022: \u0022TOR SOCKS\u0022}, \u0022attack_vector\u0022: \u0022mozi pattern \u00b7 via TOR SOCKS:9050 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229050 \u00b7 TOR SOCKS\u0022, \u0022emulator_service\u0022: \u0022tor-socks\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tor_socks\u0022, \u0022service_banner\u0022: \u0022honeypot-tor-socks\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11860946,"ip":"94.154.43.36","ts":"2026-07-14 08:27:10.000000","proto":"tcp","src_port":39628,"dst_port":9050,"service":"tor-socks","classification":"proxy_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420746f725f736f636b7320726561647920706f72743d393035300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022tor-socks\u0022, \u0022app_proto\u0022: \u0022tor-socks\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002272e4059e33cab113c88cac5ca4ddcf8f32c831bf\u0022, \u0022event_fingerprint\u0022: \u00224b9b41cd39d21d8f42e99dfe49afb74032e8a6b4\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tor-socks\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da075e9d699084fc189cdd233081c49f\u0022, \u0022path_pattern_hash\u0022: \u0022b6d4fb956dc4d23d1c2c3eccd7f8e7e3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9050, \u0022service\u0022: \u0022tor-socks\u0022, \u0022service_name\u0022: \u0022tor-socks\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b2f86efd33d099c36d9f6f276cfa58cdf170589\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 9050, \u0022service\u0022: \u0022tor-socks\u0022, \u0022service_label_fr\u0022: \u0022TOR SOCKS\u0022}, \u0022attack_vector\u0022: \u0022proxy probe \u00b7 via TOR SOCKS:9050 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229050 \u00b7 TOR SOCKS\u0022, \u0022emulator_service\u0022: \u0022tor-socks\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tor-socks\u0022, \u0022service_label_fr\u0022: \u0022TOR SOCKS\u0022, \u0022dst_port\u0022: 9050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tor-socks\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0001\\u0000\u0022, \u0022port\u0022: 9050, \u0022service\u0022: \u0022tor-socks\u0022, \u0022service_label_fr\u0022: \u0022TOR SOCKS\u0022}, \u0022attack_vector\u0022: \u0022proxy probe \u00b7 via TOR SOCKS:9050 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229050 \u00b7 TOR SOCKS\u0022, \u0022emulator_service\u0022: \u0022tor-socks\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tor_socks\u0022, \u0022service_banner\u0022: \u0022honeypot-tor-socks\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_proxy_probe\u0022, \u0022socks5_greeting\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_proxy_probe\u0022, \u0022socks5_greeting\u0022]","anomalies":"[]","severity":4,"bytes_in":3},{"id":11833018,"ip":"94.154.43.36","ts":"2026-07-14 05:28:52.000000","proto":"tcp","src_port":38464,"dst_port":9040,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9040, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226bf2d63631b8791e5c5923ee3b0d014033812168\u0022, \u0022event_fingerprint\u0022: \u0022615225dca70938c0a39d9e09c1a00d7030042f72\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9040, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227b00358cd469dce61001127fc82d5687c1014413\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9040, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9040 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229040 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9040, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9040, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9040 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229040 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229040\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11813494,"ip":"94.154.43.36","ts":"2026-07-14 02:57:46.000000","proto":"tcp","src_port":43128,"dst_port":9011,"service":"github-webhook","classification":"github_webhook_abuse","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206769746875625f776562686f6f6b20726561647920706f72743d393031310d0a\u0022, \u0022emulator_response_len\u0022: 45, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022github-webhook\u0022, \u0022app_proto\u0022: \u0022github-webhook\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9011, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002213f8fedd1df65cfb9a82ea51ed1f71f36b30a1ad\u0022, \u0022event_fingerprint\u0022: \u0022b3ad9468cd1d938826d29a60b9f87fd9a0b3eaaa\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab github_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022github-webhook\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00223a1138cde939a3dbf37a222ea59ef72a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9011, \u0022service\u0022: \u0022github-webhook\u0022, \u0022service_name\u0022: \u0022github-webhook\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab github_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d951bd49c4729d8f3e184685a4c51fba0b164d7d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9011, \u0022service\u0022: \u0022github-webhook\u0022, \u0022service_label_fr\u0022: \u0022Webhook GitHub\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022github webhook abuse \u00b7 via Webhook GitHub:9011 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229011 \u00b7 Webhook GitHub\u0022, \u0022emulator_service\u0022: \u0022github-webhook\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab github_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab github_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 34\/100 (Faible) \u2014 MITRE TA0001 \u2014 via Webhook GitHub\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022github-webhook\u0022, \u0022service_label_fr\u0022: \u0022Webhook GitHub\u0022, \u0022dst_port\u0022: 9011, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-github-webhook\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9011, \u0022service\u0022: \u0022github-webhook\u0022, \u0022service_label_fr\u0022: \u0022Webhook GitHub\u0022}, \u0022attack_vector\u0022: \u0022github webhook abuse \u00b7 via Webhook GitHub:9011 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229011 \u00b7 Webhook GitHub\u0022, \u0022emulator_service\u0022: \u0022github-webhook\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022github_webhook\u0022, \u0022service_banner\u0022: \u0022honeypot-github-webhook\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229011\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022github_webhook_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_github_webhook_abuse\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022github_webhook_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_github_webhook_abuse\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":11791637,"ip":"94.154.43.36","ts":"2026-07-13 23:27:51.000000","proto":"tcp","src_port":52454,"dst_port":9010,"service":"discord-webhook","classification":"discord_webhook_abuse","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420646973636f72645f776562686f6f6b20726561647920706f72743d393031300d0a\u0022, \u0022emulator_response_len\u0022: 46, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022discord-webhook\u0022, \u0022app_proto\u0022: \u0022discord-webhook\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9010, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d99d75c30869239d08f5a67c9b10ba0c1cea08d9\u0022, \u0022event_fingerprint\u0022: \u00222a6c80a04d61966fe8e01583789690745c7f305d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab discord_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022discord-webhook\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022d660de731b44d608719f6d1a3051f13e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9010, \u0022service\u0022: \u0022discord-webhook\u0022, \u0022service_name\u0022: \u0022discord-webhook\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab discord_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229e81a31016a426ff28d8a8974f7faced797d7d11\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9010, \u0022service\u0022: \u0022discord-webhook\u0022, \u0022service_label_fr\u0022: \u0022Webhook Discord\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022discord webhook abuse \u00b7 via Webhook Discord:9010 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229010 \u00b7 Webhook Discord\u0022, \u0022emulator_service\u0022: \u0022discord-webhook\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab discord_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab discord_webhook_abuse \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 34\/100 (Faible) \u2014 MITRE TA0001 \u2014 via Webhook Discord\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022discord-webhook\u0022, \u0022service_label_fr\u0022: \u0022Webhook Discord\u0022, \u0022dst_port\u0022: 9010, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-discord-webhook\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9010, \u0022service\u0022: \u0022discord-webhook\u0022, \u0022service_label_fr\u0022: \u0022Webhook Discord\u0022}, \u0022attack_vector\u0022: \u0022discord webhook abuse \u00b7 via Webhook Discord:9010 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229010 \u00b7 Webhook Discord\u0022, \u0022emulator_service\u0022: \u0022discord-webhook\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022discord_webhook\u0022, \u0022service_banner\u0022: \u0022honeypot-discord-webhook\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229010\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022discord_webhook_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_discord_webhook_abuse\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022discord_webhook_emulated\u0022, \u0022mozi_pattern\u0022, \u0022net_discord_webhook_abuse\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":11762923,"ip":"94.154.43.36","ts":"2026-07-13 20:48:20.000000","proto":"tcp","src_port":46180,"dst_port":9008,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a24182faa51e148cd6aead88a687811ccf6ea412\u0022, \u0022event_fingerprint\u0022: \u0022a56e4b3c718f344f2d7a18561cb6f577ecb89bb2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022331dc5b0c06bd5be60d33289d15990e5a007ee22\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11738296,"ip":"94.154.43.36","ts":"2026-07-13 18:55:30.000000","proto":"tcp","src_port":37130,"dst_port":9003,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9003, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ba58de24568567db85a76ae0a6cd7970d2a9b6de\u0022, \u0022event_fingerprint\u0022: \u0022c77ccedae28dd7ee49ac0146bbc52f795f892acb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9003, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d20c7fe31c7d55d98b2eae66c3cea1dd53936ba5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9003, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9003 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229003 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9003, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9003, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9003 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229003 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229003\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11703706,"ip":"94.154.43.36","ts":"2026-07-13 15:07:11.000000","proto":"tcp","src_port":53752,"dst_port":9002,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9002, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227899e52aeae705582e43cb4c7fb3a8b3c314f4b7\u0022, \u0022event_fingerprint\u0022: \u00226ec9dd34bbfa877a0175e730d616e0936b2bcf5b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9002, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229dfbc047e9de9ad77966121d1e7978d6df13ba78\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11677913,"ip":"94.154.43.36","ts":"2026-07-13 12:46:03.000000","proto":"tcp","src_port":39126,"dst_port":9001,"service":"tor-or","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022030000000000000000\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022tor-or\u0022, \u0022app_proto\u0022: \u0022tor-or\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a17b1a16d360e7d2518ecdc9dee319ab1bc8f78e\u0022, \u0022event_fingerprint\u0022: \u00222bc74a66a243c40126697f519e65200a159d147e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022confidence\u0022: 0.46, \u0022classification_confidence\u0022: 0.46, \u0022precision_score\u0022: 55, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tor-or\u0022, \u0022risk_confidence_factor\u0022: 46.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9001, \u0022service\u0022: \u0022tor-or\u0022, \u0022service_name\u0022: \u0022tor-or\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228d413b05c4366bb7a9dcd779a5bacdeaedf1fc5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9001, \u0022service\u0022: \u0022tor-or\u0022, \u0022service_label_fr\u0022: \u0022TOR OR\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u00229001 \u00b7 TOR OR\u0022, \u0022emulator_service\u0022: \u0022tor-or\u0022, \u0022confidence_reason\u0022: \u0022Confiance 46 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via TOR OR\u0022, \u0022confidence_pct\u0022: 46, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022tor-or\u0022, \u0022service_label_fr\u0022: \u0022TOR OR\u0022, \u0022dst_port\u0022: 9001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tor-or\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 9001, \u0022service\u0022: \u0022tor-or\u0022, \u0022service_label_fr\u0022: \u0022TOR OR\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229001 \u00b7 TOR OR\u0022, \u0022emulator_service\u0022: \u0022tor-or\u0022, \u0022confidence_reason\u0022: \u0022Confiance 46 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 46 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tor_or\u0022, \u0022service_banner\u0022: \u0022honeypot-tor-or\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_tor_probe\u0022, \u0022tor_exit_probe\u0022, \u0022tor_or_emulated\u0022, \u0022tor_or_payload\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_tor_probe\u0022, \u0022tor_exit_probe\u0022, \u0022tor_or_emulated\u0022, \u0022tor_or_payload\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":11642758,"ip":"94.154.43.36","ts":"2026-07-13 09:52:12.000000","proto":"tcp","src_port":40300,"dst_port":9000,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226191062c1b14f64968c1f0044dfe8145c37ac81b\u0022, \u0022event_fingerprint\u0022: \u0022612d080f0a092a26d4ba5a51639d710fd52d67fd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228b7e9ed691a1caa79e2ff4de6dbe9874a001d2f7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:9000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00229000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11571623,"ip":"94.154.43.36","ts":"2026-07-13 04:32:08.000000","proto":"tcp","src_port":41898,"dst_port":8989,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8989, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221ef86d9d4b4c0c9899547d4f2b049e3f7e09961a\u0022, \u0022event_fingerprint\u0022: \u00226453d385fe6ec00ab8b5d0d2f2518aa60822d4a0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8989, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249a568cb7182d2deaa9b12bef3971bf8a74952f6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8989, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8989 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228989 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8989, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8989, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8989 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228989 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228989\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11541755,"ip":"94.154.43.36","ts":"2026-07-13 02:06:15.000000","proto":"tcp","src_port":53142,"dst_port":8899,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8899, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022490132f6196ea5283780d130270024e2472b0621\u0022, \u0022event_fingerprint\u0022: \u00222dcea5242040a7af0b608b27edc6a0747c5e6b49\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8899, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dc75f2802efc4d1532d201764e3a582e0597c4f2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8899, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8899 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228899 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8899, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8899, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8899 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228899 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228899\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11507489,"ip":"94.154.43.36","ts":"2026-07-12 23:11:57.000000","proto":"tcp","src_port":50858,"dst_port":8888,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229f8f2cb59e83cdba491abde855261d24116a05cb\u0022, \u0022event_fingerprint\u0022: \u0022799f8169a269524ed24d2e68c2d42663912beeda\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022035993779101d0171e83d9f8c72938b3b9d26c70\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8888 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8888 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11471128,"ip":"94.154.43.36","ts":"2026-07-12 19:39:42.000000","proto":"tcp","src_port":58552,"dst_port":8887,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8887, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228f08ca0a56a13d854271d44adb2cc20955d8452b\u0022, \u0022event_fingerprint\u0022: \u002279904c89925ced788a01e9a682b7d8362f47496b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8887, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223df5ce542e7a64085d78b68bcae5ad0c92364ab7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8887, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8887 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228887 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8887, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8887, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8887 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228887 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228887\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11460247,"ip":"94.154.43.36","ts":"2026-07-12 17:25:57.000000","proto":"tcp","src_port":51214,"dst_port":8886,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8886, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229465e9fb0addc2a724227fe562b357f6b0b4e253\u0022, \u0022event_fingerprint\u0022: \u0022fb6683d079468ae7f9cde8300ae116e02480157c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8886, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220fe80b84b795cc472d85d81d3b08cd03b6e87cc6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8886, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8886 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228886 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8886, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8886, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8886 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228886 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228886\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11429628,"ip":"94.154.43.36","ts":"2026-07-12 15:07:11.000000","proto":"tcp","src_port":57332,"dst_port":8885,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8885, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d1438e554498ea6a5c64dfbeb32b7b04267b612\u0022, \u0022event_fingerprint\u0022: \u0022391524c220b5f5ea4b44637fecbec534e2af5a78\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8885, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d7e276e3541b93631ddd6c42ac01f16cd17b032c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8885, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8885 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228885 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8885, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8885, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8885 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228885 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228885\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11411453,"ip":"94.154.43.36","ts":"2026-07-12 11:24:16.000000","proto":"tcp","src_port":48720,"dst_port":8883,"service":"mqtts","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022mqtts\u0022, \u0022app_proto\u0022: \u0022mqtts\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8883, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002228665ff08ebb7cfb8513af2c84b168f90ecbec8a\u0022, \u0022event_fingerprint\u0022: \u00225f7b059db7e7baf96b44a473308871c1ef92cf07\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mqtts\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8883, \u0022service\u0022: \u0022mqtts\u0022, \u0022service_name\u0022: \u0022mqtts\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002207706d7f63cca5e16a05b0d23a93e389b2e65e00\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 8883, \u0022service\u0022: \u0022mqtts\u0022, \u0022service_label_fr\u0022: \u0022MQTTS\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via MQTTS:8883 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228883 \u00b7 MQTTS\u0022, \u0022emulator_service\u0022: \u0022mqtts\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mqtts\u0022, \u0022service_label_fr\u0022: \u0022MQTTS\u0022, \u0022dst_port\u0022: 8883, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mqtts\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022port\u0022: 8883, \u0022service\u0022: \u0022mqtts\u0022, \u0022service_label_fr\u0022: \u0022MQTTS\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via MQTTS:8883 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228883 \u00b7 MQTTS\u0022, \u0022emulator_service\u0022: \u0022mqtts\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mqtts\u0022, \u0022service_banner\u0022: \u0022honeypot-mqtts\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228883\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022mqtts_emulated\u0022, \u0022mqtts_payload\u0022, \u0022net_mqtt_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022mqtts_emulated\u0022, \u0022mqtts_payload\u0022, \u0022net_mqtt_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":11341510,"ip":"94.154.43.36","ts":"2026-07-12 07:26:21.000000","proto":"tcp","src_port":42862,"dst_port":8882,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8882, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a71eeebe06d7761bf3548c3a81edcf61b52d1779\u0022, \u0022event_fingerprint\u0022: \u00220226d2896ec60299da7c6ba349be7f7f71015fb6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8882, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d6026fa4d179bc36f6f44cbd282391493665b856\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8882, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8882 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228882 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8882, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8882, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8882 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228882 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228882\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198},{"id":11316778,"ip":"94.154.43.36","ts":"2026-07-12 04:17:35.000000","proto":"tcp","src_port":60874,"dst_port":8881,"service":"http","classification":"lfi_php_wrapper","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"http:\/\/146.56.180.42:3333\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u0022f3319d01fc77637a165edf73d37019b576860ff1\u0022, \u0022http_target_hash\u0022: \u002274b5e1596dbc476fbb17df28e2493104a108e0aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.215744906159282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 219502, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8881, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220631c1cb451dbc6a1a5f2e8de4a8bf842ede17d8\u0022, \u0022event_fingerprint\u0022: \u00225165748e71e4d3991497801bd8e9198cd5b650d9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 136, \u0022precision_signals\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_patterns\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 931100\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022lfi_attack\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 219502, \u0022org\u0022: \u0022Storm Industries LLC\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00223b1265ad8082238f3c608ec3ac053893\u0022, \u0022path_pattern_hash\u0022: \u00220dcd9bfbc2ee3db7a55cce5999240db1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8881, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002243cedc0ae7cbe20ecb60710765419f0c083b450b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8881, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8881 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228881 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_php_wrapper \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8881, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0088\u0022, \u0022pat-0103\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 8881, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi php wrapper \u00b7 via HTTP:8881 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET http:\/\/146.56.180.42:3333\/ HTTP\/1.1\\r\\nHost: 146.56.180.42:3333\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWe\u0022, \u0022target_port_label\u0022: \u00228881 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228881\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"146.56.180.42:3333","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_absolute_uri\u0022]","anomalies":"[]","severity":8,"bytes_in":198}],"total_events":80}