mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 lines
1.3 KiB
ReStructuredText
41 lines
1.3 KiB
ReStructuredText
ENIP/CIP Keywords
|
|
=================
|
|
|
|
The enip_command and cip_service keywords can be used for matching on various properties of
|
|
ENIP requests.
|
|
|
|
There are three ways of using this keyword:
|
|
|
|
* matching on ENIP command with the setting "enip_command";
|
|
* matching on CIP Service with the setting "cip_service".
|
|
* matching both the ENIP command and the CIP Service with "enip_command" and "cip_service" together
|
|
|
|
|
|
For the ENIP command, we are matching against the command field found in the ENIP encapsulation.
|
|
|
|
For the CIP Service, we use a maximum of 3 comma separated values representing the Service, Class and Attribute.
|
|
These values are described in the CIP specification. CIP Classes are associated with their Service, and CIP Attributes
|
|
are associated with their Service. If you only need to match up until the Service, then only provide the Service value.
|
|
If you want to match to the CIP Attribute, then you must provide all 3 values.
|
|
|
|
|
|
Syntax::
|
|
|
|
enip_command:<value>
|
|
cip_service:<value(s)>
|
|
enip_command:<value>, cip_service:<value(s)>
|
|
|
|
|
|
Examples::
|
|
|
|
enip_command:99
|
|
cip_service:75
|
|
cip_service:16,246,6
|
|
enip_command:111, cip_service:5
|
|
|
|
|
|
(cf. http://read.pudn.com/downloads166/ebook/763211/EIP-CIP-V1-1.0.pdf)
|
|
|
|
Information on the protocol can be found here:
|
|
`<http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp001_-en-p.pdf>`_
|