Techniques
Sample rules
Detect Large ICMP Traffic
- source: splunk
- technicques:
- T1095
Description
The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren’t blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
Detection logic
| tstats `security_content_summariesonly`
count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Traffic.action) as action
from datamodel=Network_Traffic where
All_Traffic.bytes > 1000
All_Traffic.action != blocked
AND
(
All_Traffic.protocol=icmp
OR
All_Traffic.transport=icmp
)
NOT All_Traffic.dest_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol
All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
All_Traffic.protocol_version All_Traffic.src_port
All_Traffic.user All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| iplocation dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_large_icmp_traffic_filter`