Skip to content

Modbus Honeypot Enterprise

The Modbus service emulates a Modbus TCP device. It is useful for detecting reconnaissance and unauthorized access attempts against industrial control systems (ICS) and operational technology (OT) networks where Modbus is common.

Configuration

Modbus services are configured from the Enterprise dashboard. Open Trapsters, select a device, go to the Services tab, and add the Modbus service.

Options

OptionDescription
PortTCP port (default 502)
Device typeThe industrial device Trapster impersonates

Device types

TypeDescription
Schneider M580 FactoryCastSchneider Electric M580 PLC
Schneider BMX P34 CPU BSchneider BMX P34 CPU module
GW-2200 Modbus GatewayGW-2200 Modbus gateway

Match your environment

Choose a device type that matches equipment on your OT network. Attackers scanning for Modbus devices will see a familiar fingerprint.

What gets captured

EventFields
Connection madeSource IP and port
Query receivedModbus function codes requested

Pairing with breadcrumbs

From the Modbus service row, click Generate breadcrumb to create a decoy credential or script tied to this Trapster. See Breadcrumbs.