PROTOCOL-ICMP Echo Reply
This alert is triggered when an ICMP Echo Reply message is received from an external network to the internal network. ICMP Echo Replies are typically responses to ping requests; however, unexpected Echo Replies may indicate a device is responding to pings from outside.
ID Number
408
Signature
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8;)
Severity
Low
Recommendations/Investigative actions
Find which internal device is receiving this message to assess if it has been sending outbound pings or is being probed.
Limit ICMP responses from external sources if they are not necessary.