Detection: Detect Large ICMP Traffic

Description

The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.

Search

 1
 2| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action
 3    from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
 4    by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol, All_Traffic.bytes, All_Traffic.app, All_Traffic.bytes_in, All_Traffic.bytes_out, All_Traffic.dest_port, All_Traffic.dvc, All_Traffic.protocol_version, 
 5    All_Traffic.src_port, All_Traffic.user, All_Traffic.vendor_product
 6
 7| `drop_dm_object_name("All_Traffic")` 
 8
 9| iplocation dest_ip 
10
11| `security_content_ctime(firstTime)` 
12
13| `security_content_ctime(lastTime)` 
14
15| `detect_large_icmp_traffic_filter`

Data Source

Name	Platform	Sourcetype	Source
Palo Alto Network Traffic	Network	'pan:traffic'	'screenconnect_palo_traffic'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro detect_large_icmp_traffic_filter to adjust the byte threshold or add specific IP addresses to an allow list.

Associated Analytic Story

• Backdoor Pingpong

• China-Nexus Threat Activity

• Command And Control

Risk Based Analytics (RBA)

Risk Message:

Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1