detecting-modbus-protocol-anomalies▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.
| name | detecting-modbus-protocol-anomalies |
| description | 'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences. ' |
| domain | cybersecurity |
| subdomain | ot-ics-security |
| tags | - ot-security - ics - scada - industrial-control - iec62443 - modbus - protocol-anomaly |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-05 - GV.OC-02 |
Detecting Modbus Protocol Anomalies
When to Use
- When deploying Modbus-specific intrusion detection in an OT environment
- When building baseline models for deterministic Modbus polling patterns
- When investigating suspicious Modbus traffic flagged by OT monitoring tools
- When implementing function code allowlisting on industrial firewalls
- When detecting unauthorized Modbus write commands that could manipulate process setpoints
Do not use for securing Modbus communications end-to-end (Modbus has no native security; see implementing-network-segmentation-for-ot for firewall-based controls), for non-Modbus protocol monitoring (see detecting-anomalies-in-industrial-control-systems for multi-protocol), or for active fuzzing of Modbus implementations (see performing-plc-firmware-security-analysis).
Prerequisites
- Network SPAN/TAP access to monitor Modbus/TCP traffic (port 502)
- Zeek (formerly Bro) with Modbus protocol analyzer or Suricata with OT rulesets
- Python 3.9+ with scapy and pymodbus for custom analysis
- Baseline capture of normal Modbus traffic (minimum 1-2 weeks)
- Documentation of authorized Modbus clients, function codes, and register maps
Workflow
Step 1: Capture and Parse Modbus Traffic
Deploy passive monitoring to capture all Modbus/TCP traffic and parse it into structured records for analysis.
#!/usr/bin/env python3
"""Modbus Protocol Anomaly Detection System.
Monitors Modbus/TCP traffic for anomalies including unauthorized
function codes, unusual register access, timing deviations,
and rogue client devices.
"""
import json
import struct
import sys
import time
from collections import defaultdict, deque
from dataclasses import dataclass, field
from datetime import datetime
from statistics import mean, stdev
try:
from scapy.all import sniff, rdpcap, IP, TCP
except ImportError:
print("Install scapy: pip install scapy")
sys.exit(1)
MODBUS_FUNCTION_CODES = {
1: ("Read Coils", "read"),
2: ("Read Discrete Inputs", "read"),
3: ("Read Holding Registers", "read"),
4: ("Read Input Registers", "read"),
5: ("Write Single Coil", "write"),
6: ("Write Single Register", "write"),
7: ("Read Exception Status", "diagnostic"),
8: ("Diagnostics", "diagnostic"),
11: ("Get Comm Event Counter", "diagnostic"),
12: ("Get Comm Event Log", "diagnostic"),
15: ("Write Multiple Coils", "write"),
16: ("Write Multiple Registers", "write"),
17: ("Report Slave ID", "diagnostic"),
22: ("Mask Write Register", "write"),
23: ("Read/Write Multiple Registers", "read_write"),
43: ("Encapsulated Interface Transport", "diagnostic"),
}
@dataclass
class ModbusAnomaly:
timestamp: str
anomaly_type: str
severity: str
src_ip: str
dst_ip: str
unit_id: int
func_code: int
detail: str
mitre_technique: str = ""
@dataclass
class ModbusSession:
"""Tracks state for a Modbus master-slave session."""
src_ip: str
dst_ip: str
func_codes_seen: dict = field(default_factory=lambda: defaultdict(int))
register_ranges: set = field(default_factory=set)
intervals: list = field(default_factory=lambda: deque(maxlen=500))
last_timestamp: float = 0
request_count: int = 0
write_count: int = 0
class ModbusAnomalyDetector:
"""Detects anomalies in Modbus/TCP traffic."""
def __init__(self):
self.sessions = {}
self.baseline_sessions = {}
self.anomalies = []
self.authorized_clients = set()
self.authorized_func_codes = {} # per-session allowed FCs
self.packet_count = 0
def set_authorized_clients(self, clients):
"""Set list of authorized Modbus client IPs."""
self.authorized_clients = set(clients)
def set_authorized_func_codes(self, session_key, func_codes):
"""Set allowed function codes for a specific session."""
self.authorized_func_codes[session_key] = set(func_codes)
def load_baseline(self, baseline_file):
"""Load baseline profiles from previous capture analysis."""
with open(baseline_file) as f:
baseline = json.load(f)
for key, data in baseline.get("modbus_baselines", {}).items():
self.baseline_sessions[key] = data
self.authorized_func_codes[key] = set(data.get("allowed_function_codes", []))
print(f"[*] Loaded {len(self.baseline_sessions)} Modbus baselines")
def process_packet(self, pkt):
"""Process a single packet for Modbus anomaly detection."""
if not pkt.haslayer(TCP) or not pkt.haslayer(IP):
return
# Check for Modbus/TCP (port 502)
if pkt[TCP].dport != 502 and pkt[TCP].sport != 502:
return
payload = bytes(pkt[TCP].payload)
if len(payload) < 8:
return
self.packet_count += 1
timestamp = float(pkt.time)
ts_str = datetime.fromtimestamp(timestamp).isoformat()
# Parse MBAP header
try:
trans_id = struct.unpack(">H", payload[0:2])[0]
proto_id = struct.unpack(">H", payload[2:4])[0]
length = struct.unpack(">H", payload[4:6])[0]
unit_id = payload[6]
func_code = payload[7]
except (IndexError, struct.error):
return
# Determine direction
if pkt[TCP].dport == 502:
src_ip = pkt[IP].src
dst_ip = pkt[IP].dst
is_request = True
else:
src_ip = pkt[IP].dst
dst_ip = pkt[IP].src
is_request = False
if not is_request:
return # Only analyze requests
session_key = f"{src_ip}->{dst_ip}"
# Get or create session
if session_key not in self.sessions:
self.sessions[session_key] = ModbusSession(src_ip=src_ip, dst_ip=dst_ip)
session = self.sessions[session_key]
session.request_count += 1
session.func_codes_seen[func_code] += 1
# ── Anomaly Detection Rules ──
# Rule 1: Unauthorized Modbus client
if self.authorized_clients and src_ip not in self.authorized_clients:
self.anomalies.append(ModbusAnomaly(
timestamp=ts_str,
anomaly_type="UNAUTHORIZED_CLIENT",
severity="critical",
src_ip=src_ip, dst_ip=dst_ip,
unit_id=unit_id, func_code=func_code,
detail=f"Modbus request from unauthorized client {src_ip}",
mitre_technique="T0886 - Remote Services",
))
# Rule 2: Unauthorized function code
allowed_fcs = self.authorized_func_codes.get(session_key)
if allowed_fcs and func_code not in allowed_fcs:
fc_info = MODBUS_FUNCTION_CODES.get(func_code, (f"Unknown FC{func_code}", "unknown"))
severity = "critical" if fc_info[1] == "write" else "high"
self.anomalies.append(ModbusAnomaly(
timestamp=ts_str,
anomaly_type="UNAUTHORIZED_FUNCTION_CODE",
severity=severity,
src_ip=src_ip, dst_ip=dst_ip,
unit_id=unit_id, func_code=func_code,
detail=f"FC {func_code} ({fc_info[0]}) not in allowlist {sorted(allowed_fcs)}",
mitre_technique="T0855 - Unauthorized Command Message",
))
# Rule 3: Write operation detection
if func_code in (5, 6, 15, 16, 22, 23):
session.write_count += 1
fc_name = MODBUS_FUNCTION_CODES.get(func_code, ("Unknown", ""))[0]
# Extract register address
if len(payload) >= 10:
register_addr = struct.unpack(">H", payload[8:10])[0]
session.register_ranges.add((func_code, register_addr))
self.anomalies.append(ModbusAnomaly(
timestamp=ts_str,
anomaly_type="WRITE_OPERATION",
severity="high",
src_ip=src_ip, dst_ip=dst_ip,
unit_id=unit_id, func_code=func_code,
detail=f"Write: {fc_name} to register {register_addr} from {src_ip}",
mitre_technique="T0836 - Modify Parameter",
))
# Rule 4: Timing anomaly
if session.last_timestamp > 0:
interval = (timestamp - session.last_timestamp) * 1000 # ms
session.intervals.append(interval)
baseline = self.baseline_sessions.get(session_key)
if baseline and len(session.intervals) > 10:
expected_interval = baseline.get("polling_interval_avg_sec", 0) * 1000
expected_std = baseline.get("polling_interval_stddev", 0) * 1000
if expected_std > 0:
z_score = abs(interval - expected_interval) / expected_std
if z_score > 5.0:
self.anomalies.append(ModbusAnomaly(
timestamp=ts_str,
anomaly_type="TIMING_ANOMALY",
severity="medium",
src_ip=src_ip, dst_ip=dst_ip,
unit_id=unit_id, func_code=func_code,
detail=(
f"Interval {interval:.0f}ms vs baseline "
f"{expected_interval:.0f}ms (z={z_score:.1f})"
),
mitre_technique="T0831 - Manipulation of Control",
))
# Rule 5: Protocol violation - invalid protocol ID
if proto_id != 0:
self.anomalies.append(ModbusAnomaly(
timestamp=ts_str,
anomaly_type="PROTOCOL_VIOLATION",
severity="high",
src_ip=src_ip, dst_ip=dst_ip,
unit_id=unit_id, func_code=func_code,
detail=f"Non-standard protocol ID {proto_id} (expected 0)",
mitre_technique="T0830 - Man in the Middle",
))
# Rule 6: Broadcast write (unit ID 0)
if unit_id == 0 and func_code in (5, 6, 15, 16):
self.anomalies.append(ModbusAnomaly(
timestamp=ts_str,
anomaly_type="BROADCAST_WRITE",
severity="critical",
src_ip=src_ip, dst_ip=dst_ip,
unit_id=unit_id, func_code=func_code,
detail="Broadcast write command (unit ID 0) affects ALL slaves",
mitre_technique="T0855 - Unauthorized Command Message",
))
session.last_timestamp = timestamp
def analyze_pcap(self, pcap_file):
"""Analyze pcap file for Modbus anomalies."""
print(f"[*] Analyzing {pcap_file}...")
packets = rdpcap(pcap_file)
for pkt in packets:
self.process_packet(pkt)
print(f"[*] Processed {self.packet_count} Modbus packets")
def generate_report(self):
"""Generate anomaly detection report."""
print(f"\n{'='*70}")
print("MODBUS PROTOCOL ANOMALY DETECTION REPORT")
print(f"{'='*70}")
print(f"Packets analyzed: {self.packet_count}")
print(f"Sessions tracked: {len(self.sessions)}")
print(f"Anomalies detected: {len(self.anomalies)}")
severity_counts = defaultdict(int)
type_counts = defaultdict(int)
for a in self.anomalies:
severity_counts[a.severity] += 1
type_counts[a.anomaly_type] += 1
print(f"\nBy Severity:")
for sev in ["critical", "high", "medium", "low"]:
if severity_counts[sev]:
print(f" {sev.upper()}: {severity_counts[sev]}")
print(f"\nBy Type:")
for atype, count in sorted(type_counts.items(), key=lambda x: -x[1]):
print(f" {atype}: {count}")
print(f"\nTop Anomalies:")
for a in self.anomalies[:15]:
print(f" [{a.severity.upper()}] {a.anomaly_type}: {a.detail}")
if __name__ == "__main__":
detector = ModbusAnomalyDetector()
if len(sys.argv) > 1:
# Load baseline if provided
if len(sys.argv) > 2:
detector.load_baseline(sys.argv[2])
detector.analyze_pcap(sys.argv[1])
detector.generate_report()
else:
print("Usage: python modbus_detector.py <pcap_file> [baseline.json]")
Key Concepts
| Term | Definition |
|---|---|
| Modbus/TCP | Industrial protocol running on TCP port 502, consisting of an MBAP header and PDU with function code and data |
| Function Code | Modbus command identifier (FC1-4: reads, FC5-6/15-16: writes, FC8: diagnostics) determining the operation type |
| MBAP Header | Modbus Application Protocol header containing transaction ID, protocol ID (0x0000), length, and unit ID |
| Unit ID | Modbus address (0-247) identifying the target slave device; unit ID 0 is broadcast to all slaves |
| Register Map | Vendor-specific mapping of Modbus register addresses to process variables (e.g., register 40001 = reactor temperature) |
| Function Code Allowlist | Security policy defining which Modbus function codes are permitted from each source IP to each target device |
Tools & Systems
- Zeek Modbus Analyzer: Network security monitor with built-in Modbus/TCP protocol analysis and logging
- Suricata with ET Open ICS rules: IDS/IPS with Modbus-specific detection rules for command injection and anomalies
- Wireshark Modbus Dissector: Protocol analyzer with full Modbus/TCP and Modbus RTU decoding
- PyModbus: Python Modbus library for building custom monitoring and testing tools
Output Format
Modbus Protocol Anomaly Detection Report
==========================================
Capture Period: YYYY-MM-DD to YYYY-MM-DD
Packets Analyzed: [N]
Sessions: [N]
ANOMALIES: [N]
UNAUTHORIZED_CLIENT: [N]
UNAUTHORIZED_FUNCTION_CODE: [N]
WRITE_OPERATION: [N]
TIMING_ANOMALY: [N]
BROADCAST_WRITE: [N]
How to use detecting-modbus-protocol-anomalies on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add detecting-modbus-protocol-anomalies
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches detecting-modbus-protocol-anomalies from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate detecting-modbus-protocol-anomalies. Access the skill through slash commands (e.g., /detecting-modbus-protocol-anomalies) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.5★★★★★26 reviews- ★★★★★Ganesh Mohane· Dec 16, 2024
detecting-modbus-protocol-anomalies reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Charlotte Lopez· Dec 16, 2024
detecting-modbus-protocol-anomalies reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Sakshi Patil· Nov 7, 2024
I recommend detecting-modbus-protocol-anomalies for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Chaitanya Patil· Oct 26, 2024
Useful defaults in detecting-modbus-protocol-anomalies — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Rahul Santra· Sep 17, 2024
detecting-modbus-protocol-anomalies has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Dev Singh· Sep 17, 2024
detecting-modbus-protocol-anomalies has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Charlotte Smith· Sep 13, 2024
Keeps context tight: detecting-modbus-protocol-anomalies is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Daniel Chen· Sep 5, 2024
detecting-modbus-protocol-anomalies reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Daniel Thompson· Aug 24, 2024
Registry listing for detecting-modbus-protocol-anomalies matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Pratham Ware· Aug 8, 2024
Solid pick for teams standardizing on skills: detecting-modbus-protocol-anomalies is focused, and the summary matches what you get after install.
showing 1-10 of 26