CIP Specific Options

Snort 3 features a Common Industrial Protocol (CIP) service inspector that does CIP decoding and enables detection of various CIP fields. This service inspector is also able to decode Ethernet/IP (ENIP) protocols as well.

The CIP inspector provides 11 different rule options: cip_attribute, cip_class, cip_conn_path_class, enip_command, enip_req, enip_rsp, cip_instance, cip_req, cip_rsp, cip_service, and cip_status. Each of these options is broken down below.

This inspector is disabled by default, and so you will need to enable the cip service inspector and add entries to the binder in your Snort config to tell Snort which traffic to run the cip service inspector on. Below is a snippet of a Snort config showing these two things:

-- enable the CIP inspector
cip = { }
-- add CIP binder entries
binder = 
{
    { when = { proto = 'tcp', ports = '44818', role = 'server' }, use = { type = 'cip' } },
    { when = { proto = 'udp', ports = '22222', role = 'server' }, use = { type = 'cip' } },

cip_attribute

The cip_attribute rule option is used to look for a single CIP attribute or multiple CIP attributes.

This rule option takes in one argument, which is either a single attribute value used with an optional comparison operator sign, or a range of attributes using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

cip_attribute:[<|>|=|!|<=|>=]attribute;

Range comparison:

cip_attribute:min_attribute{<>|<=>}max_attribute;

Examples:

cip_attribute:5;

cip_attribute:>5;

cip_class

The cip_class rule option is used to look for a single CIP class or multiple CIP classes.

This rule option takes in one argument, which is either a single class value used with an optional comparison operator sign, or a range of classes using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

cip_class:[<|>|=|!|<=|>=]class;

Range comparison:

cip_class:min_class{<>|<=>}max_class;

Examples:

cip_class:2;

cip_class:2<>5;

cip_conn_path_class

The cip_conn_path_class rule option is used to match a single CIP connection path class or multiple CIP connection path classes.

This rule option takes in one argument, which is either a single connection path class value used with an optional comparison operator sign, or a range of connection path class using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

cip_conn_path_class:[<|>|=|!|<=|>=]conn_path_class;

Range comparison:

cip_conn_path_class:min_conn_path_class{<>|<=>}max_conn_path_class;

The chosen conn_path_class values must be in the following range: 0:65535.

Examples:

cip_conn_path_class:10;

cip_conn_path_class:!0;

cip_instance

The cip_instance rule option is used to match a single CIP instance value or multiple CIP instance values.

This rule option takes in one argument, which is either a single instance value used with an optional comparison operator sign, or a range of instance values using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

cip_instance:[<|>|=|!|<=|>=]cip_instance;

Range comparison:

cip_instance:min_cip_instance{<>|<=>}max_cip_instance;

The chosen cip_instance values must be in the following range: 0:4294967295.

Examples:

cip_instance:33;

cip_instance:!33;

cip_req

The cip_req rule option is used to match CIP request packets.

This rule option takes no arguments.

Format:

cip_req;

Examples:

cip_req;

cip_rsp

The cip_rsp rule option is used to match CIP response packets.

This rule option takes no arguments.

Format:

cip_rsp;

Examples:

cip_rsp;

cip_service

The cip_service rule option is used to match a single CIP service value or multiple CIP service values.

This rule option takes in one argument, which is either a single service value used with an optional comparison operator sign, or a range of service values using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

cip_service:[<|>|=|!|<=|>=]service;

Range comparison:

cip_service:min_service{<>|<=>}max_service;

Note: The chosen service values must be in the following range: 0:127.

Examples:

cip_service:10;

cip_service:127;

cip_status

The cip_status rule option is used to match a single CIP status value or multiple CIP status values.

This rule option takes in one argument, which is either a single status value used with an optional comparison operator sign, or a range of status values using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

cip_status:[<|>|=|!|<=|>=]status;

Range comparison:

cip_status:min_status{<>|<=>}max_status;

Note: The chosen status values must be in the following range: 0:255.

Examples:

cip_status:0;

cip_status:!0;

enip_command

The enip_command rule option is used to match a single ENIP command value or multiple ENIP command values.

This rule option takes in one argument, which is either a single ENIP command value used with an optional comparison operator sign, or a range of ENIP command values using one of two range operator signs. The range comparison is done by including either the <> or <=> sign and putting the minimum number the left of the sign and the maximum number to the right of it. The <> case is for an exclusive min-max check, while the <=> is for an inclusive min-max check.

Format:

Single value comparison:

enip_command:[<|>|=|!|<=|>=]enip_command;

Range comparison:

enip_command:min_enip_command{<>|<=>}max_enip_command;

Note: The chosen command values must be in the following range: 0:65535.

Examples:

enip_command:5<>100;

enip_command:<7;

enip_req

The enip_req rule option is used to match ENIP response packets.

This rule option takes no arguments.

Format:

enip_req;

Examples:

enip_req;

enip_rsp

The enip_rsp rule option is used to match ENIP response packets.

This rule option takes no arguments.

Format:

enip_rsp;

Examples:

enip_rsp;

Snort 3 Rule Writing Guide