1) Package identifies icam scanning
bro-pkg install bro/initconf/icmp-scans or @load icmp-scans/scripts
Heuristics are simple: check for different kinds icmp connections and if they cross a certain threshold generate notice.
(This version uses broker::auto_publish. I do intend to update the script to use cluster_hrw events which are more efficient as well as meaningful in this case.
This should generate following Kinds of notices:
:
- ICMP::AddressMaskScan - An address mask request message reveals the subnet mask used by the
target host. This information is useful when mapping networks and identifying the size of subnets and network spaces used by organizations.
- ICMP::ICMPAddressScan - Primarily flags ICMP echo-request/replies also known as ping scanning.
- ICMP::InfoRequestScan - The ICMP information request message was intended to support self-configuring
systems such as diskless workstations at boot time, to allow them to discover their network address. Protocols such as RARP, BOOTP, or DHCP do so more robustly, so type 15 messages are rarely used.
- ICMP::TimestampScan - A timestamp request message requests system time information from the target
host. The response is in a decimal format and is the number of milliseconds elapsed since midnight GMT.
- ICMP::ScanSummary - general summaries of ICMP scan. How many hosts over how much time.