Techniques
Sample rules
Detect Large ICMP Traffic
- source: splunk
- technicques:
- T1095
Description
The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren’t blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
Detection logic
| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action
from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol, All_Traffic.bytes, All_Traffic.app, All_Traffic.bytes_in, All_Traffic.bytes_out, All_Traffic.dest_port, All_Traffic.dvc, All_Traffic.protocol_version,
All_Traffic.src_port, All_Traffic.user, All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| iplocation dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_large_icmp_traffic_filter`