ICMP Anomaly Detection¶
At Security Onion Conference 2016, Eric Conrad shared some IDS rules for detecting unusual ICMP echo requests/replies and identifying C2 channels that may utilize ICMP tunneling for covert communication.
We can add the rules to
/etc/nsm/rules/local.rules and the variables
suricata.yaml so that we can gain better
insight into ICMP echoes or replies over a certain size, containing
particularly suspicious content, etc.