NF – ICMP Payload to big for normal use – Covert Channel
this Snort rule is designed to detect ICMP packets with a payload size outside the range of 100 to 130 bytes. If such packets are detected and occur more than 50 times within a 10-second window for a specific destination IP address, the rule triggers an alert. The rule is specifically crafted to identify potential covert channels where the payload size is used as a covert communication mechanism.
ID Number
5016108
Signature
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"NF - ICMP Payload to big for normal use - Covert Channel"; dsize:100<>130; detection_filter:track by_dst, count 50, seconds 10; reference:url,networkforensic.dk; metadata:12072015; classtype:misc-activity; sid:5016108; rev:1;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
Identify the source and destination, try to understand the reason for that traffic - scanning, part of network management software or others. If the communication is confirmed - close the event. Sometimes its part of network behaviour and then this rule can be disabled.