Configuring the CIP Preprocessor

Note	This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

Before you begin

You must add the default CIP detection port 44818 and any other ports you list as CIP Ports to the TCP stream Perform Stream Reassembly on Both Ports list.
Familiarize yourself with Guidelines for Configuring the CIP Preprocessor.
The CIP preprocessor is not supported for threat defense devices.

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note	If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit ( edit icon ) next to the policy you want to edit.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings in the navigation panel.

Step 5

If CIP Configuration under SCADA Preprocessors is disabled, click Enabled.

Step 6

You can modify any of the options described in CIP Preprocessor Options.

Step 7

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy.

If you want to generate events and, in an inline deployment, drop offending packets, enable CIP intrusion rules and, optionally, CIP preprocessor rules (GID 148). For more information, see Setting Intrusion Rule States, CIP Preprocessor Rules, and CIP Events.
Deploy configuration changes.