Detect ping with size more than 65000 bytes

hello, can you help me to detect ping with size more than 65000 bytes with suricata

1 Like

Probably with a combination of icmp and dsize keywords:

https://suricata.readthedocs.io/en/suricata-6.0.7/rules/header-keywords.html#itype
https://suricata.readthedocs.io/en/suricata-6.0.7/rules/payload-keywords.html#dsize

hello victor, I have used dsize in the rules I created. but when testing, no warning appears in fast.log here are the rules I made
alert icmp any any → any any (msg : "Ping Big Size Detected; dsize:>65000; classtype:bad-unknown; sid:1000002; rev:5;)
is there something wrong with the alert I made? please help me thank you

Your test rule is correct.

Problably your icmp request is getting fragmented, so each fragment is smaller than your dsize definition.

Hallo Alex,
what should I do, so that fast.log will give a warning about the rules that I have created?

Sorry to jump in, just a suggestion - non rule based.
If needed you can visualize that easily by using the flow logs that Suricata produces in Kibana/Splunk etc with somthing like this below:
(KIbana tested query below)

(proto:"ICMP" OR proto:"IPv6-ICMP") AND (flow.bytes_toclient:>65000 OR flow.bytes_toserver:>65000 ) 
``
1 Like

@Mada do you have a pcap for testing ?