CIP Events

By design, application detectors detect and event viewers display the same application one time per session. A CIP session can include multiple applications in different packets, and a single CIP packet can contain multiple applications. The CIP preprocessor handles all CIP and ENIP traffic according to the corresponding intrusion rule.

The following table shows the CIP values displayed in event views.

CIP Event Field Values

Event Field

Displayed Value

Application Protocol

CIP or ENIP

Client

CIP Client or ENIP Client

Web Application

The specific application detected, which is:

  • For access control rules that allow or monitor traffic, the last application protocol detected in the session.

    Access control rules that you configure to log connections might not generate events for specified CIP applications, and access control rules that you do not configure to log connections might generate events for CIP applications.

  • For access control rules that block traffic, the application protocol that triggered the block.

    When an access control rule blocks a list of CIP applications, event viewers display the first application that is detected.