detecting-modbus-protocol-anomalies

Featured

This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Modbus Protocol Anomalies ## When to Use - When deploying Modbus-specific intrusion detection in an OT environment - When building baseline models for deterministic Modbus polling patterns - When investigating suspicious Modbus traffic flagged by OT monitoring tools - When implementing function code allowlisting on industrial firewalls - When detecting unauthorized Modbus write commands that could manipulate process setpoints **Do not use** for securing Modbus communications end-to-end (Modbus has no native security; see implementing-network-segmentation-for-ot for firewall-based controls), for non-Modbus protocol monitoring (see detecting-anomalies-in-industrial-control-systems for multi-protocol), or for active fuzzing of Modbus implementations (see performing-plc-firmware-security-analysis). ## Prerequisites - Network SPAN/TAP access to monitor Modbus/TCP traffic (port 502) - Zeek (formerly Bro) with Modbus protocol analyzer or Suricata with OT rulesets - Python 3.9+ with scapy and pymodbus for custom analysis - Baseline capture of normal Modbus traffic (minimum 1-2 weeks) - Documentation of authorized Modbus clients, function codes, and register maps ## Workflow ### Step 1: Capture and Parse Modbus Traffic Deploy passive monitoring to capture all Modbus/TCP traffic and parse it into structured records for analysis. ```python #!/usr/bin/env python3 """Modbus Protocol Anomaly Detection System. Monitors Modbus/TCP traffic for anomalies including unautho...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

monitoring-scada-modbus-traffic-anomalies

Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, unauthorized register writes, and suspicious communication patterns. The analyst uses deep packet inspection with pymodbus, Scapy, and Zeek to baseline normal PLC/RTU communication behavior, then applies statistical and rule-based anomaly detection to identify reconnaissance, parameter manipulation, and denial-of-service attacks targeting Modbus devices on port 502. Activates for requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly detection, PLC security monitoring, or OT network threat detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-modbus-command-injection-attacks

Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized write operations, anomalous function codes, malformed frames, and deviations from established communication baselines using ICS-aware IDS and protocol deep packet inspection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-anomalies-in-industrial-control-systems

This skill covers deploying anomaly detection systems for industrial control environments using machine learning models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue devices, and correlating network anomalies with physical process data from historians.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-dnp3-protocol-anomalies

Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns using deep packet inspection and machine learning approaches.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-attacks-on-scada-systems

This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security tools miss.

12,642 Updated today
mukul975