ICMP Anomaly Detection¶
At Security Onion Conference 2016, Eric Conrad shared some IDS rules for detecting unusual ICMP echo requests/replies and identifying C2 channels that may utilize ICMP tunneling for covert communication.
We can add the rules to
/opt/so/rules/nids/local.rules and the variables to
suricata.yaml so that we can gain better insight into ICMP echoes or replies over a certain size, containing particularly suspicious content, etc.
You can find Eric’s presentation here:
You can download the rules here: