CRITICAL: Honeypot ICS Scanner Events Report

DESCRIPTION LAST UPDATED: 2024-08-16

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies hosts that have been observed performing scanning activity against Industrial Control System (ICS) sensors (honeypots).

Scanning for ICS devices may be a benign activity; for example, having to do with a research project, or perfomed by an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.

Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack, or an attempt to exploit the devices being scanned.

Basic information collected includes the source of the scan and the requests being sent, including the communication state and any other protocol specific details, if available. Note that because the ICS sensors used are also HTTP-aware, observed scans may also include non-ICS related attacks that happen to also hit these sensors. These may be considered false positives from an ICS-related attack perspective, but they may be attacks in themselves too.

Track ICS scans seen by us on the Dashboard, for example here.

Severity levels are described here.

File name: event4_honeypot_ics_scan

This report type was originally created as part of the EU Horizon 2020 SISSDEN Project.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • state
    Connection state (if applicable)
  • sensor_id
    ID of sensor target device
  • slave_id
    Modbus slave id being requested (if applicable)
  • function_code
    Modbus function code being used (if Modbus query)
  • request
    Request logged
  • response
    Response to query

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","state","sensor_id","slave_id","function_code","request","response"
"2010-02-10 00:00:00",,192.168.0.1,56970,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.1,47808,65534,ZZ,Region,City,node01.example.net,0,,,ics-scan,,bacnet,,,,NEW_CONNECTION,d4b1478b-03bf-431c-9400-1f0900ebf1bb,,,,
"2010-02-10 00:00:01",,192.168.0.2,42620,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.2,102,65534,ZZ,Region,City,node02.example.net,0,,,ics-scan,,s7comm,,,,NEW_CONNECTION,1e7fc00b-cc51-401b-a5b0-097256020cff,,,,
"2010-02-10 00:00:02",,192.168.0.3,50748,64512,ZZ,Region,City,node03.example.com,0,,,,,critical,172.16.0.3,47808,65534,ZZ,Region,City,node03.example.net,0,"Education Services",,ics-scan,,bacnet,,,,NEW_CONNECTION,6cdb206a-6488-4a11-8d5b-cce44ea756e3,,,,

Our 132 Report Types

« Back to Network Reporting