Get STIX Reports from ICS Honeypot Conpot

06 Aug 2014 Lukas Rist conpot honeypot ics scada stix taxii
The team working on the ICS/SCADA honeypot Conpot, just merged in a more mature support for STIX (Structured Threat Information eXpression) formatted reporting via TAXII (Trusted Automated eXchange of Indicator Information) into the master branch on Github. STIX allows us to represent event sessions captured by the honeypot in a structured format, which eases the integration of Conpot into existing consumer (e.g. SIEM) infrastructures. By transforming an arbitrary honeypot event into a schema defined format, we are able to communicate an incident in a language, which is also understandable by someone not trained in interpreting industrial protocol messages.