id: conpot-siemens-honeypot-detect

info:
  name: Conpot (Siemens) Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A Conpot (Siemens) honeypot has been identified.
    The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 1
    verified: true
    vendor: conpot
    product: siemens
    shodan-query: html:"Overview - Siemens, SIMATIC"
  tags: conpot,siemens,honeypot,ir,cti,network

tcp:
  - inputs:
      - data: "0300001611e00000000400c1020100c2020102c0010a"
        type: hex

    host:
      - "{{Hostname}}"
    port: 102
    read-size: 1024

    matchers:
      - type: binary
        binary:
          - "030000130ed00000000000c1020000c2020000"
# digest: 490a00463044022021e6afb3e77181c8a48f696d615396954631920d336c086edecff8d9ff5daf6b0220566d89766581d8b4e11aed3949ccbf9348e204a065c14bfd879bc42c9d519ec0:922c64590222798bb761d5b6d8e72950