detecting-modbus-protocol-anomalies

by mukul975

detecting-modbus-protocol-anomalies helps detect suspicious Modbus/TCP and Modbus RTU behavior in OT and ICS networks, including invalid function codes, out-of-range register access, abnormal polling timing, unauthorized writes, and malformed frames. Useful for a Security Audit and evidence-based triage.

Stars6.1k

Favorites0

Comments0

AddedMay 9, 2026

CategorySecurity Audit

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-modbus-protocol-anomalies

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for users who need Modbus-specific anomaly detection guidance. The repository gives enough workflow detail, protocol limits, and runnable support material to justify installation, though users should still expect some implementation judgment when adapting it to their OT environment.

78/100

Strengths

Specific Modbus OT use cases are clearly stated, including function-code monitoring, register validation, timing analysis, unauthorized client detection, and malformed frame inspection.
Operational artifacts are included: a Python script, Zeek/Suricata examples, and an API reference with protocol limits and log-field guidance.
The skill defines when to use it and when not to use it, improving triggerability and reducing guesswork for agents.

Cautions

The skill appears strongest for detection and analysis workflows; it does not present full end-to-end Modbus security or remediation automation.
There is no install command in SKILL.md, so users may need to infer setup and execution steps from the script and reference files.

Modbus Protocol Analysis Ot Security Ics Scada Industrial Control Suricata Zeek

Overview

Overview of detecting-modbus-protocol-anomalies skill

What this skill is for

The detecting-modbus-protocol-anomalies skill helps you spot suspicious Modbus/TCP or Modbus RTU behavior in OT and ICS networks: invalid function codes, out-of-range register access, abnormal polling timing, unauthorized writes, and malformed frames. It is a good fit for a Security Audit when you need a practical detection workflow, not a broad Modbus primer.

Who should use it

Use the detecting-modbus-protocol-anomalies skill if you are a security engineer, OT analyst, or defender validating Modbus traffic against known-good behavior. It is most useful when you already have packet captures, Zeek logs, Suricata alerts, or a repeatable polling baseline and need to decide what is anomalous.

What makes it different

This skill is not just a prompt wrapper. It combines protocol limits, detection heuristics, and example tooling around Zeek, Suricata, and Python analysis. That makes it more actionable than a generic “analyze this traffic” prompt, especially when you want the model to reason from concrete Modbus limits and log fields.

How to Use detecting-modbus-protocol-anomalies skill

Install and load context

For a standard install, use the repository skill path and then read the core instruction file first:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-modbus-protocol-anomalies

Then inspect SKILL.md, references/api-reference.md, and scripts/agent.py before running the skill in a real task. Those files tell you what fields, limits, and detection methods the skill expects.

Give the skill the right input

The best detecting-modbus-protocol-anomalies usage starts with a narrow, evidence-based prompt. Include:

protocol type: Modbus/TCP or Modbus RTU
data source: pcap, Zeek log, Suricata alert, or exported event log
device roles: PLC, HMI, historian, engineering workstation
known-good polling pattern if you have one
the question: detect, triage, explain, or draft rules

A strong prompt looks like:

Analyze this Modbus/TCP capture for timing anomalies, invalid function codes, and unauthorized write behavior. Use the limits in the repo, assume the PLC should only accept function codes 3 and 4 from the HMI, and call out any events that exceed protocol bounds.

Suggested workflow for better results

Start with the capture or log format, not the conclusion.
Ask for a short anomaly summary first.
Then request per-event reasoning tied to Modbus limits.
If needed, ask for Zeek or Suricata rule ideas after the analysis.

If your task is a detecting-modbus-protocol-anomalies guide for an audit, ask for output in three buckets: confirmed anomaly, suspicious but explainable, and normal baseline behavior.

Files to read first

Prioritize:

SKILL.md for the intended detection flow
references/api-reference.md for protocol thresholds and sample rule logic
scripts/agent.py for the actual parsing and detection approach

detecting-modbus-protocol-anomalies skill FAQ

Is this only for Modbus/TCP?

No. The skill covers both Modbus/TCP and Modbus RTU, but the practical examples lean toward log and packet analysis. If you only have raw serial captures with no decoding context, expect to provide more preprocessing detail.

Can I use it without OT security experience?

Yes, if you can describe the traffic source and expected device behavior. The skill is beginner-friendly for analysis tasks, but not beginner-safe for production response unless you already understand Modbus function codes and asset roles.

How is this different from a generic prompt?

The detecting-modbus-protocol-anomalies skill is more useful because it anchors the model to protocol-specific thresholds, detection methods, and field names. A generic prompt often misses Modbus limits like read quantity caps or function-code allowlists.

When should I not use it?

Do not use detecting-modbus-protocol-anomalies for end-to-end Modbus encryption, broad network segmentation design, or non-Modbus industrial protocols. It is also a poor fit if you have no traffic data and only want policy writing with no packet or log evidence.

How to Improve detecting-modbus-protocol-anomalies skill

Feed it baselines, not just alerts

The biggest quality jump comes from giving the model the expected polling interval, allowed function codes, and normal source-destination pairs. Without a baseline, the skill can identify obvious protocol violations but will be weaker at separating drift from attack.

State the decision rule you want

If you want the output to support a Security Audit, say what counts as actionable. For example:

flag any function code outside 1, 2, 3, 4, 5, 6, 15, 16
alert on register reads above 125
treat new client IPs as unauthorized unless whitelisted

That turns the task from “summarize traffic” into “apply policy.”

Watch the common failure modes

The most common mistakes are missing device context, mixing up Modbus/TCP and RTU assumptions, and asking for detection without enough log fields. If the first pass is too vague, improve the input before asking for a longer explanation.

Iterate from evidence to rule

A strong detecting-modbus-protocol-anomalies install decision usually becomes a strong workflow when you test one sample file, review the reasoning, then ask for a second pass with tighter thresholds or custom allowlists. If the first answer is close, refine the prompt with specific assets, addresses, and function-code expectations rather than asking for a broader reanalysis.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k