creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
1cffd664f555699d8e2b46f5ea94edaaa520f721
Anthropic-Cybersecurity-Skills/skills/performing-s7comm-protocol-security-analysis/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.3 KiB
Raw Blame History

S7comm Protocol Security Analysis - API Reference

pyshark Library

Python wrapper for TShark (Wireshark CLI) for packet analysis.

Loading S7comm Traffic

import pyshark
cap = pyshark.FileCapture("traffic.pcap", display_filter="s7comm")
for pkt in cap:
    s7_layer = pkt.s7comm
    print(s7_layer.rosctr, s7_layer.param_func)
cap.close()

Key S7comm Layer Fields

Field Description
s7comm.rosctr PDU type: 1=Job, 2=Ack, 3=Ack-Data, 7=Userdata
s7comm.param_func Function code (hex)
s7comm.error_class Error class (0 = no error)
s7comm.error_code Specific error code
s7comm.param_data Parameter data payload

S7comm Function Codes

Code Name Risk Level
0x04 Read Var Low - read process data
0x05 Write Var High - modify PLC memory
0x28 Setup Communication Low - session init
0x29 PLC Run Critical - start PLC execution
0x1a PLC Stop Critical - halt PLC execution
0xf0 Userdata Medium - diagnostics/programming

S7comm Protocol Overview

S7comm runs over ISO-on-TCP (RFC 1006) on port 102. The protocol stack:

  1. TCP connection on port 102
  2. TPKT header (RFC 1006)
  3. COTP connection-oriented transport (ISO 8073)
  4. S7comm PDU

Security Concerns

  • No built-in authentication in S7comm (pre-S7comm-Plus)
  • No encryption of traffic
  • Write operations can modify PLC logic and process values
  • Stop/Run commands can halt industrial processes

Detection Patterns

Unauthorized Access

Multiple unique source IPs connecting to a single PLC (> 3 sources) indicates potential unauthorized access.

Brute Force

Repeated error responses (error_class != 0) from a PLC to a single source exceeding threshold count.

Dangerous Operations

Any write_var, run, or stop function codes should be flagged and correlated with authorized change windows.

Output Schema

{
  "report": "s7comm_protocol_security_analysis",
  "total_s7_packets": 1500,
  "total_findings": 8,
  "severity_summary": {"critical": 2, "high": 5, "medium": 1},
  "traffic_patterns": {"function_distribution": {"read_var": 1200, "write_var": 50}},
  "findings": [{"type": "dangerous_operation_stop", "severity": "critical"}]
}

CLI Usage

python agent.py --pcap capture.pcap --brute-threshold 10 --output report.json
Reference in New Issue View Git Blame Copy Permalink