detecting-dnp3-protocol-anomalies

Featured

Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns using deep packet inspection and machine learning approaches.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting DNP3 Protocol Anomalies ## When to Use - When monitoring SCADA systems in the energy sector where DNP3 is the primary protocol - When building detection rules for DNP3-based attacks against RTUs and substations - When investigating suspected unauthorized control commands sent via DNP3 - When deploying IDS with DNP3 deep packet inspection at utility substations - When responding to alerts from OT monitoring platforms about DNP3 traffic anomalies **Do not use** for non-DNP3 protocol monitoring (see detecting-modbus-command-injection-attacks for Modbus), for DNP3 Secure Authentication configuration (separate implementation), or for protocol-agnostic network anomaly detection. ## Prerequisites - Network TAP/SPAN on DNP3 communication segments (TCP port 20000 or serial) - Baseline of normal DNP3 traffic patterns (masters, outstations, poll intervals, function codes) - Suricata or Zeek with DNP3 protocol parser enabled - Understanding of DNP3 function codes and object groups used in the environment - DNP3 communication topology map (master-to-outstation relationships) ## Workflow ### Step 1: Analyze DNP3 Traffic for Anomalies ```python #!/usr/bin/env python3 """DNP3 Protocol Anomaly Detector. Monitors DNP3 communications for unauthorized control commands, protocol violations, and deviations from established baselines. Supports both TCP and serial DNP3 deployments. """ import struct import sys import json from collections import defaultdict from datetime import...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

monitoring-scada-modbus-traffic-anomalies

Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, unauthorized register writes, and suspicious communication patterns. The analyst uses deep packet inspection with pymodbus, Scapy, and Zeek to baseline normal PLC/RTU communication behavior, then applies statistical and rule-based anomaly detection to identify reconnaissance, parameter manipulation, and denial-of-service attacks targeting Modbus devices on port 502. Activates for requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly detection, PLC security monitoring, or OT network threat detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-modbus-command-injection-attacks

Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized write operations, anomalous function codes, malformed frames, and deviations from established communication baselines using ICS-aware IDS and protocol deep packet inspection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-anomalies-in-industrial-control-systems

This skill covers deploying anomaly detection systems for industrial control environments using machine learning models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue devices, and correlating network anomalies with physical process data from historians.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-modbus-protocol-anomalies

This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-attacks-on-scada-systems

This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security tools miss.

12,642 Updated today
mukul975