Fortinet black logo

Administration Guide

FortiDeceptor decoys

Copy Link
Copy Doc ID 63cab9f6-5858-11ec-bdf2-fa163e15d75b:103945
Download PDF

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:
Windows

Windows 7, Windows 10, Windows 2016 and Windows 2019

Linux

Ubuntu Desktop, CentOS

IoT/OT

SCADA version 3, Medical OS, and IoT OS.

VPN

Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

Customized Windows

Windows 10, Windows Server 2016, Windows Sever 2019

The current FortiDeceptor application decoys PACS are:
IoT/OT

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:
Windows

RDP, SMB, TCPListener and NBNSSpoofSpotter and ICMP

Linux

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT and ICMP

IoT/OT

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER and SAP WEB

SSL VPN

HTTPS

Customized Windows

RDP, SMB, NBNSSpoofSpotter, MSSQL IIS (HTTP/HTTPS) and ICMP

The current FortiDeceptor IP address capacity are:
  • A single FDCIKF can host up to 16 deception VMs.
  • A single FDCIKG can host up to 20 deception VMs.
  • A single FDCVMS can host up to 20 deception VMs.
  • A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
  • A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).
Tooltip

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

IoT OS

Brother MFC Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Brother MFC Printer decoy.

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco router decoy

Service

Description

Models

4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745.

An error is displayed if you upload an image that is not supported.

Router Running-Config (optional)

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

Telnet service

A login-required service that enables attackers to utilize all Cisco router functions.

HTTP service

A login-required GUI service similar to the telnet service but with less functionality.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy.

CDP service

Enable this service to allow the decoy VM to send CDP traffic within the network.

HP printer decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within network

  • Community name is user-defined

  • SNMP response is customized for HP printer decoy.

Jetdirect

  • Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

Printer-WEB

  • A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

Service

Description

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for IP camera decoy.

UPnP service

  • Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
  • A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

RTSP service

  • When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted.

  • To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Lexmark Printer decoy

Service

Description

SNMP

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK decoy

Service

Description

TP-LINK WEB

Enable this service to allow attackers to login to a fake TP-link setting site.

CWMP

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

Medical

Service

Description

Infusion Pump (Telnet) service

  • Simulates Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

POS

Service

Description

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

Service

Description

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SAP

Service

Description

SAP ROUTER

  • Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
  • Use the default port to ensure SAP Logon can connect.

SAP DISPATCHER

  • Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
  • Use the default port to ensure SAP Logon can connect.

SAP WEB

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port

  • FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Ascent Compass MNG decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service

Description

Guardian-AST service

  • Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for IPMI Device decoy.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port.

  • FTP banner is user-defined.

IPMI service

  • Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service

Description

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service

Description

TFTP

Enable this to service capture attacks through TFTP on default TFTP port

SNMP

  • Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Liebert Spruce UPS decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

BACNET

Enable this service capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

BACNET

Enable this service capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for PowerLogic ION7650 decoy.

MODBUS

Enable this service capture attacks through MODBUS on the default MODBUS port.

DNP3

Enable this service capture attacks through DNP3 on the default DNP3 port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service

Description

HTTP service

  • Enable s this service capture attack through HTTP on the default HTTP port.

  • HTTP page title is user defined.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens Rockwell PLC decoy.

ENIP service

  • Enable this service capture attack through ENIP on the default ENIP port.

  • ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TRICONEX service

  • Enable this service to capture attacks with the TRICONEX service.

Schneider Power Meter - PM5560 decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on default HTTP port.

DNP3 service

  • Enable this service capture attacks through DNP3 on the default DNP3 port.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider SCADAPack 333E decoy.

DNP3 service

  • Enable this service to capture attacks through DNP3.

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service

Description

HTTP service

  • Enable this service capture attacks through HTTP on the default HTTP port.

  • HTTP page title is user defined.

  • Plant Identification is user-defined.

  • Serial Number is user-defined.

TFTP service

  • Enable this to service capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-200 PLC decoy.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

S7COMM service

  • Enable this service capture attacks through S7COMM on the default S7COMM port.

  • Module Type is user-defined.

  • PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-300 PLC decoy.

IEC104 service

  • Enable this service capture attacks through IEC104 on the default IEC104 port.

VAV-DD BACNET controller decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for VAV-DD BACNET controller decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:
Windows

Windows 7, Windows 10, Windows 2016 and Windows 2019

Linux

Ubuntu Desktop, CentOS

IoT/OT

SCADA version 3, Medical OS, and IoT OS.

VPN

Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

Customized Windows

Windows 10, Windows Server 2016, Windows Sever 2019

The current FortiDeceptor application decoys PACS are:
IoT/OT

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:
Windows

RDP, SMB, TCPListener and NBNSSpoofSpotter and ICMP

Linux

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT and ICMP

IoT/OT

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER and SAP WEB

SSL VPN

HTTPS

Customized Windows

RDP, SMB, NBNSSpoofSpotter, MSSQL IIS (HTTP/HTTPS) and ICMP

The current FortiDeceptor IP address capacity are:
  • A single FDCIKF can host up to 16 deception VMs.
  • A single FDCIKG can host up to 20 deception VMs.
  • A single FDCVMS can host up to 20 deception VMs.
  • A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
  • A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).
Tooltip

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

IoT OS

Brother MFC Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Brother MFC Printer decoy.

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco router decoy

Service

Description

Models

4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745.

An error is displayed if you upload an image that is not supported.

Router Running-Config (optional)

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

Telnet service

A login-required service that enables attackers to utilize all Cisco router functions.

HTTP service

A login-required GUI service similar to the telnet service but with less functionality.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy.

CDP service

Enable this service to allow the decoy VM to send CDP traffic within the network.

HP printer decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within network

  • Community name is user-defined

  • SNMP response is customized for HP printer decoy.

Jetdirect

  • Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

Printer-WEB

  • A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

Service

Description

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for IP camera decoy.

UPnP service

  • Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
  • A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

RTSP service

  • When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted.

  • To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Lexmark Printer decoy

Service

Description

SNMP

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK decoy

Service

Description

TP-LINK WEB

Enable this service to allow attackers to login to a fake TP-link setting site.

CWMP

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

Medical

Service

Description

Infusion Pump (Telnet) service

  • Simulates Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

POS

Service

Description

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

Service

Description

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SAP

Service

Description

SAP ROUTER

  • Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
  • Use the default port to ensure SAP Logon can connect.

SAP DISPATCHER

  • Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
  • Use the default port to ensure SAP Logon can connect.

SAP WEB

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port

  • FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Ascent Compass MNG decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service

Description

Guardian-AST service

  • Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for IPMI Device decoy.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port.

  • FTP banner is user-defined.

IPMI service

  • Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service

Description

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service

Description

TFTP

Enable this to service capture attacks through TFTP on default TFTP port

SNMP

  • Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Liebert Spruce UPS decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

BACNET

Enable this service capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

BACNET

Enable this service capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for PowerLogic ION7650 decoy.

MODBUS

Enable this service capture attacks through MODBUS on the default MODBUS port.

DNP3

Enable this service capture attacks through DNP3 on the default DNP3 port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service

Description

HTTP service

  • Enable s this service capture attack through HTTP on the default HTTP port.

  • HTTP page title is user defined.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens Rockwell PLC decoy.

ENIP service

  • Enable this service capture attack through ENIP on the default ENIP port.

  • ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TRICONEX service

  • Enable this service to capture attacks with the TRICONEX service.

Schneider Power Meter - PM5560 decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on default HTTP port.

DNP3 service

  • Enable this service capture attacks through DNP3 on the default DNP3 port.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider SCADAPack 333E decoy.

DNP3 service

  • Enable this service to capture attacks through DNP3.

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service

Description

HTTP service

  • Enable this service capture attacks through HTTP on the default HTTP port.

  • HTTP page title is user defined.

  • Plant Identification is user-defined.

  • Serial Number is user-defined.

TFTP service

  • Enable this to service capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-200 PLC decoy.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

S7COMM service

  • Enable this service capture attacks through S7COMM on the default S7COMM port.

  • Module Type is user-defined.

  • PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-300 PLC decoy.

IEC104 service

  • Enable this service capture attacks through IEC104 on the default IEC104 port.

VAV-DD BACNET controller decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for VAV-DD BACNET controller decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.