CIP service name enum is inaccurate

[d3vco]

🐛 Summary

CIP uses an "object-oriented" design in which each CIP class can define its own class-specific services. Service codes < 0x31 (50) are common and must be the same in each class (if the class chooses to define that service), but this guarantee does not hold for service codes >= 0x31. Therefore these codes can't be mapped to a name with a simple enum as they are currently:

icsnpp-enip/scripts/consts.zeek

Lines 216 to 222 in 6a62de9

	[0x4B] = "Execute PCCC Service",
	[0x4C] = "Read Data",
	[0x4D] = "Write Data",
	[0x4E] = "Read Write Modify Data",
	[0x52] = "Read Data Fragmented",
	[0x53] = "Write Data Fragmented",
	[0x54] = "Forward Open",

For example, in CIP class 0xF3 (Connection Configuration) service code 0x4C is defined as "Open Connection", not "Read Data" as would be mapped in the current design. It looks like the current service code names come from a mix of the "PCCC" class and the "Connection Manager" class.

Possible Solutions

I see two ways to handle this.

1. Remove services >= 0x31 from the cip_services enum. This would mean more services get mapped to "unknown" but would prevent inaccurate labeling.
2. Create class-specific service enums. If the service code is >= 0x31, look up the appropriate class enum, then attempt to match the service name.

I am willing to work on a solution but I am not able to get to it immediately.

[jjrush]

@d3vco Investigating.

[jjrush]

@d3vco Progress on this front is slow. We will probably have to go with option 1 in the meantime to prevent the inaccurate labeling - at least in the short term.