Extended Status Codes

[cjweelborg]

💡 Summary

What is the work, as a high-level summary? Addition of extended status codes that provide more detailed information on the base cip_status field.

Motivation and context

Why does this work belong in this project?

This would be useful because...

When searching for connection errors in CIP devices more detail from these extended status codes may provide extra useful information for the analyst when performing a hunt or analysis of an attack. This may help create the possibility of detecting specific types of attacks that have specific changes noted by the extended status.

Implementation notes

Please provide details for implementation, such as:

• an example for how this would be used
• what this would look like
• how this would act
• any related work, including links to related issues

Addition of cip_extended_status or similar field in the parser. It would be helpful to include both the extended status code and extended status code value for easier parsing/searching.

Lines 1224 and 1342 contain the beginning of the wireshark dissector's extended status codes https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-cip.c

Acceptance criteria

How do we know when this work is done?

• [ ] Extended Status Codes are correctly being parsed
• [ ] cip_extended_status or similar field is available
• [ ] optionally extended status code values field is available for easier parsing/searching

[Kleinspider]

The parsing of extended status code has been added in the latest commit (0c610cdbfca6072127e5dd00d69084c98681ff43).

The following fields have been added to cip.log:

• cip_status_code: CIP status code (in hex)
• cip_extended_status_code: CIP extended status code (in hex)
• cip_extended_status: CIP extended status description