Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ICMP Anomaly Detection
Clone this wiki locally
At Security Onion Conference 2016, Eric Conrad shared some IDS rules for detecting unusual ICMP echo requests/replies and identifying C2 channels that may utilize ICMP tunneling for covert communication.
We can add the rules to
/etc/nsm/rules/local.rules and the variables to
suricata.yaml so that we can gain better insight into ICMP echoes or replies over a certain size, containing particularly suspicious content, etc.
You can find Eric's presentation here:
You can download the rules here: