Techniques
Sample rules
Detect Large ICMP Traffic
- source: splunk
- technicques:
- T1095
Description
The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren’t blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
Detection logic
| tstats `security_content_summariesonly`
count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Traffic.action) as action
from datamodel=Network_Traffic where
All_Traffic.bytes > 1000
All_Traffic.action != blocked
AND
(
All_Traffic.protocol=icmp
OR
All_Traffic.transport=icmp
)
NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks`
OR All_Traffic.dest IN `non_public_ip_blocks`
)
by All_Traffic.src_ip All_Traffic.src All_Traffic.dest_ip All_Traffic.dest All_Traffic.protocol
All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
All_Traffic.protocol_version All_Traffic.src_port
All_Traffic.user All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| eval dest_ip = dest
| eval src_ip = src
| iplocation dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_large_icmp_traffic_filter`