Non-enip traffic reported as enip if on standard 44818 port

[shaynakapadia]

🐛 Summary

The parser is returning false positives on any traffic that has a destination port == 44818. So far my co-worker and I have tested this out with https traffic, dns traffic, and netcat udp traffic. I've attached some zip files of pcaps and zeek logs that were generated from those pcaps that show the falsely identified traffic. We noticed false positives with https and netcat traffic to the standard enip port, but not with dns. These pcaps were edited with scapy after capture to modify port values. The checksums were recalculated after editing the pcaps with scapy.

We've also noticed many false positives where the source port is 44818, but the traffic is just normal https or dns traffic to 443/53. However, we have not been able to reproduce this locally.

dns_47581_to_44818.zip
https_443_to_44818.zip
https_59951_to_44818.zip
netcat_49865_to_44818.zip

To reproduce

Steps to reproduce the behavior:

1. Capture https traffic or udp traffic with netcat where the dst port is 44818
2. Use scapy to edit pcap if neccesary to make source port = 44818

Expected behavior

We expect the https/udp traffic to not be registered as ENIP traffic when the dst port is 44818.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.

[Kleinspider]

We have updated the ENIP signatures for to help prevent false positive detection of ENIP traffic. I ran the PCAPs you provided through the parser and it no longer produces the false ENIP logs.