Anthropic-Cybersecurity-Skills/skills/detecting-modbus-protocol-anomalies/references/api-reference.md

API Reference: Detecting Modbus Protocol Anomalies

Modbus Protocol Limits

Parameter	Maximum Value
Coil read quantity	2000
Register read quantity	125
Register write quantity	123
Unit ID range	1-247
PDU size	253 bytes

Anomaly Detection Methods

Anomaly	Detection	Severity
Timing deviation	Polling interval outside tolerance	MEDIUM-HIGH
Excessive read	Quantity > protocol limits	HIGH
Invalid function code	Not in standard set	HIGH
Modbus scan	>5 unique function codes from source	HIGH
Register range violation	Address outside configured range	MEDIUM

Zeek Modbus Log Fields

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p func exception quantity

Suricata Modbus Rules

alert modbus any any -> any 502 (msg:"Modbus Invalid Function Code"; \
  modbus: function !1,!2,!3,!4,!5,!6,!15,!16; sid:4000001;)
alert modbus any any -> any 502 (msg:"Modbus Excessive Register Read"; \
  modbus: function 3; modbus: quantity > 125; sid:4000002;)

Scapy Modbus Analysis

from scapy.contrib.modbus import ModbusADURequest
from scapy.all import rdpcap

pkts = rdpcap("modbus.pcap")
for pkt in pkts:
    if pkt.haslayer(ModbusADURequest):
        print(f"FC={pkt.funcCode} Len={pkt.len}")

Baseline Monitoring

# Expected polling behavior
expected_interval = 1.0  # seconds
tolerance = 0.5
# Alert if interval < 0.5s or > 3.0s

CLI Usage

python agent.py --modbus-log modbus.log
python agent.py --modbus-log modbus.log --expected-interval 2.0