PROTOCOL-ICMP PING Windows
This alert is triggered when an ICMP echo request (ping) with a specific payload pattern, commonly associated with Windows systems, is sent from an external network to an internal network. This may indicate network scanning or probing activity.
ID Number
382
Signature
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;)
Severity
Medium
Recommendations/Investigative actions
Check the external IP address sending the ICMP request to see if it’s a trusted source or potentially malicious.
Consider blocking or limiting ICMP requests from external sources.