CIP Events

By design, application detectors detect and event viewers display the same application one time per session. A CIP session can include multiple applications in different packets, and a single CIP packet can contain multiple applications. The CIP preprocessor handles all CIP and ENIP traffic according to the corresponding intrusion rule.

The following table shows the CIP values displayed in event views.

CIP Event Field Values
Event Field	Displayed Value
Application Protocol	CIP or ENIP
Client	CIP Client or ENIP Client
Web Application	The specific application detected, which is: For access control rules that allow or monitor traffic, the last application protocol detected in the session. Access control rules that you configure to log connections might not generate events for specified CIP applications, and access control rules that you do not configure to log connections might generate events for CIP applications. For access control rules that block traffic, the application protocol that triggered the block. When an access control rule blocks a list of CIP applications, event viewers display the first application that is detected.