Skip to content

Add Modbus TCP protocol analyzer #7

Open
Open
Add Modbus TCP protocol analyzer#7
Labels
analyzerProtocol analyzer modulesenhancementNew feature or requestics/otIndustrial control system / OT protocolsprotocol:modbusModbus TCP protocol analysis (ICS/OT)
@Zious11

Description

@Zious11
Zious11
opened on Apr 3, 2026

Summary

Implement a Modbus TCP analyzer for ICS/OT network forensics.

Requirements

  • Detect Modbus TCP on port 502
  • Parse MBAP header (transaction ID, protocol ID, length, unit ID)
  • Parse function codes: Read Coils (0x01), Read Holding Registers (0x03), Write Single Coil (0x05), Write Multiple Registers (0x10), etc.
  • Track write operations as higher-risk events
  • Detect anomalies: unusual function codes (diagnostic 0x08, restart 0x08/0x01), rapid write bursts, exception responses
  • Map to MITRE ICS: T0855 (Unauthorized Command Message), T0836 (Modify Parameter)

Acceptance Criteria

  • `ModbusAnalyzer` implements `ProtocolAnalyzer`
  • Tests with crafted Modbus TCP packets
  • Summarize: function code distribution, write counts, exception counts
  • Findings for suspicious write patterns and unusual function codes

Metadata

Metadata

Assignees

No one assigned

    Labels

    analyzerProtocol analyzer modulesenhancementNew feature or requestics/otIndustrial control system / OT protocolsprotocol:modbusModbus TCP protocol analysis (ICS/OT)

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions