search

cisagov / icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
BSD 3-Clause "New" or "Revised" License
19 stars 10 forks source link

ListIdentity Endianness Change #16

Closed jcyprus closed 1 year ago

jcyprus commented 1 year ago

Summary

When parsing a ListIdentity event (type CIP_Identity_Item starting on line 314 in enip-protocol.pac), the parser will insert both the sin_addr and sin_port into the log in the opposite endianness as the packet (this is logged by type Socket_Address_Info_Item on line 386 in enip-protocol.pac). This results in incorrect values being logged. For example, the IP address 123.456.7.8 will be inserted as 8.7.456.123 and the port will be converted to decimal incorrectly as the raw bytes were read in backwards.

Fixes and Implementation Notes

A potential fix to this issue could be changing the byteorder on enip-protocol.pac line 393 in type Socket_Address_Info_item from littleendian to bigendian.

Kleinspider commented 1 year ago

Fix has been applied as suggested!