creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-modbus-command-injection-attacks/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.6 KiB
Raw Blame History

API Reference: Detecting Modbus Command Injection Attacks

Modbus Function Codes

Code Function Risk
1 Read Coils Read
3 Read Holding Registers Read
5 Write Single Coil Write (dangerous)
6 Write Single Register Write (dangerous)
15 Write Multiple Coils Write (dangerous)
16 Write Multiple Registers Write (dangerous)
8 Diagnostics Diagnostic

Zeek Modbus Log

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p func

Suricata Modbus Rules

alert modbus any any -> any 502 (msg:"Modbus Write Coil"; \
  modbus: function 5; sid:3000001;)
alert modbus any any -> any 502 (msg:"Modbus Write Multiple Registers"; \
  modbus: function 16; sid:3000002;)

pymodbus Library

from pymodbus.client import ModbusTcpClient

client = ModbusTcpClient("192.168.1.100", port=502)
client.connect()
result = client.read_holding_registers(0, 10, slave=1)
print(result.registers)
client.close()

Scapy Modbus Parsing

from scapy.contrib.modbus import ModbusADURequest
from scapy.all import rdpcap

pkts = rdpcap("modbus.pcap")
for pkt in pkts:
    if pkt.haslayer(ModbusADURequest):
        print(f"Function: {pkt.funcCode}")

Detection Thresholds

Anomaly Threshold Severity
Write flood >20 writes/60s CRITICAL
Unknown function code Any HIGH
Unauthorized master Not in allowlist CRITICAL

CLI Usage

python agent.py --zeek-log modbus.log
python agent.py --zeek-log modbus.log --authorized-masters 10.0.0.1 10.0.0.2
Reference in New Issue View Git Blame Copy Permalink