Modbus Honeypot Enterprise
The Modbus service emulates a Modbus TCP device. It is useful for detecting reconnaissance and unauthorized access attempts against industrial control systems (ICS) and operational technology (OT) networks where Modbus is common.
Configuration
Modbus services are configured from the Enterprise dashboard. Open Trapsters, select a device, go to the Services tab, and add the Modbus service.
Options
| Option | Description |
|---|---|
| Port | TCP port (default 502) |
| Device type | The industrial device Trapster impersonates |
Device types
| Type | Description |
|---|---|
| Schneider M580 FactoryCast | Schneider Electric M580 PLC |
| Schneider BMX P34 CPU B | Schneider BMX P34 CPU module |
| GW-2200 Modbus Gateway | GW-2200 Modbus gateway |
Match your environment
Choose a device type that matches equipment on your OT network. Attackers scanning for Modbus devices will see a familiar fingerprint.
What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP and port |
| Query received | Modbus function codes requested |
Pairing with breadcrumbs
From the Modbus service row, click Generate breadcrumb to create a decoy credential or script tied to this Trapster. See Breadcrumbs.
