When running as part of your Zeek installation this plugin will produce three log files containing metadata extracted from any Ethernet/IP (ENIP) and Common Industrial Protocol (CIP) traffic observed on UDP port 2222 and port 44818 TCP/UDP. Ethernet/IP and CIP are often observed together. cip.log
and enip.log
contain metadata from their respective protocols while enip_list_identity.log
contains addtional data extracted from specific ENIP messages relating to device identity.
zeek-plugin-enip
is distributed as a Zeek package and is compatible with the zkg
command line tool.
This code is made available under the BSD-3-Clause license. Guidelines for contributing are available as well as a pull request template. A Dockerfile has been included in the repository to assist with setting up an environment for testing any changes to the plugin.
- Earlier work on CIP and ENIP by SCy-Phy
- ICSNPP-ENIP - Another ENIP/CIP plugin implementation for Zeek