Skip to content

[nuclei-template] IEC104 honeypot detection #13429

New issue
New issue
Open
Open
[nuclei-template] IEC104 honeypot detection#13429
Assignees
DhiyaneshGeek
@JeroenSlobbe

Description

@JeroenSlobbe
JeroenSlobbe
opened on Sep 29, 2025

Hi,

Based on the work of UnaPibaGeek (https://github.com/UnaPibaGeek/honeypots-detection), I created a template to detect the conpot IEC104 honeypot. Would you be interested in adding the template to the repository?

Kind Regards,
Jeroen

id: conpot-iec104-honeypot-fingerprint

info:
name: Conpot IEC104 Honeypot - TESTFR Confirmation
author: Jeroen Slobbe
severity: info
description: |
Detects IEC104 honeypot behavior.
Matches the expected last response to the C_IC_NA_1 Interogration frame for 7720 (0x28 0x1e) from Conpot or similar honeypots.
tags: conpot,iec104,honeypot,fingerprint,nuclei

tcp:

  • host:

    • '{{Host}}:2404'
      inputs:
    • type: hex
      data: "680443000000" # TESTFR ACT
      read: 64
    • type: hex
      data: "680407000000" # STARTDT ACT
      read: 64
    • type: hex
      data: "680e0000000064010600ffff00000014" # C_IC_NA_1 Interrogation
      read: 1024

    matchers-condition: and
    matchers:

    • type: binary
      part: body
      binary:
      • "684a0200020001101400281e"

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions