CIP and ENIP Keywords
You can use the following keywords alone or in combination to create custom intrusion rules that identify attacks against CIP and ENIP traffic detected by the CIP preprocessor. For configurable keywords, specify a single integer within the allowed range. See The CIP Preprocessor for more information.
|
This keyword... |
Matches against... |
Range |
|---|---|---|
|
|
the Object Class/Instance Attribute field in a CIP message. Specify a single defined integer value. |
0 - 65535 |
|
|
the Object Class field in a CIP message. Specify a single defined integer value. |
0 - 65535 |
|
|
the Object Class in Connection Path. Specify a single integer value. |
0 - 65535 |
|
|
the Instance ID field in a CIP message. Specify a single integer value. |
0 - 4284927295 |
|
|
the service request message. |
N/A |
|
|
the service response message. |
N/A |
|
|
the Service field in a CIP service request message. Specify a single integer value. |
0 - 127 |
|
|
the Status field in a CIP service response message. Specify a single integer value. |
0 - 255 |
|
|
the Command Code in EthNet/IP header. Specify a single integer value. |
0 - 65535 |
|
|
the EthNet/IP request message. |
N/A |
|
|
the EthNet/IP response message. |
N/A |