The scoring engine, as far as we can tell from pcaps, simply does simple tasks to verify a service is working. We have noticed that it jumps around to different IP’s to mimic real users. Here are some screenshots of a pcap for the scoring engines traffic. Hopefully you can use this to get a better idea of how a service is being scored. Contact me if you would like the entire pcap.
On our team, I have each team member go through and identify attackers and the scoring engine from the pcaps taken from previous years.
Some of the services it scores: FTP, SSH, HTTP, HTTPS, DNS, SMTP, POP