id: conpot-siemens-honeypot-detect

info:
  name: Conpot (Siemens) Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A Conpot (Siemens) honeypot has been identified.
    The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup.
  metadata:
    verified: true
    max-request: 1
    vendor: conpot
    product: siemens
    shodan-query:
      - html:"Overview - Siemens, SIMATIC"
      - http.html:"overview - siemens, simatic"
    fofa-query: body="overview - siemens, simatic"
  tags: conpot,siemens,honeypot,ir,cti,network,tcp
tcp:
  - inputs:
      - data: "0300001611e00000000400c1020100c2020102c0010a"
        type: hex

    host:
      - "{{Hostname}}"
    port: 102
    read-size: 1024

    matchers:
      - type: binary
        binary:
          - "030000130ed00000000000c1020000c2020000"
# digest: 4a0a00473045022100da62d4a83212817c496030215d47413be6d0548caa1625f087b8da0ac196d3f5022015a384c6685bc755fa96f1d681ca04e66e5f33780c49da1f84ad57825115a054:922c64590222798bb761d5b6d8e72950