Detect ping with size more than 65000 bytes

Mada · September 27, 2022, 6:01am

hello, can you help me to detect ping with size more than 65000 bytes with suricata

vjulien · September 28, 2022, 9:27am

Probably with a combination of icmp and dsize keywords:

https://suricata.readthedocs.io/en/suricata-6.0.7/rules/header-keywords.html#itype
https://suricata.readthedocs.io/en/suricata-6.0.7/rules/payload-keywords.html#dsize

Mada · September 28, 2022, 11:56am

hello victor, I have used dsize in the rules I created. but when testing, no warning appears in fast.log here are the rules I made
alert icmp any any → any any (msg : "Ping Big Size Detected; dsize:>65000; classtype:bad-unknown; sid:1000002; rev:5;)
is there something wrong with the alert I made? please help me thank you

lex · September 28, 2022, 2:57pm

Your test rule is correct.

Problably your icmp request is getting fragmented, so each fragment is smaller than your dsize definition.

Mada · September 28, 2022, 11:20pm

Hallo Alex,
what should I do, so that fast.log will give a warning about the rules that I have created?

pevma · September 29, 2022, 6:38am

Sorry to jump in, just a suggestion - non rule based.
If needed you can visualize that easily by using the flow logs that Suricata produces in Kibana/Splunk etc with somthing like this below:
(KIbana tested query below)

(proto:"ICMP" OR proto:"IPv6-ICMP") AND (flow.bytes_toclient:>65000 OR flow.bytes_toserver:>65000 ) 
``

Philippe_Antoine · October 5, 2022, 12:13pm

@Mada do you have a pcap for testing ?

Topic		Replies	Views
Rule data size question Rules rules , suricata	2	414	March 16, 2023
Testing ping alert rule Rules suricata	5	3189	July 27, 2022
Alert logs not triggered Help	3	1180	November 26, 2020
Some match bypass? Rules rules	27	1740	September 17, 2021
How to create ICMP alerts per packet Rules	1	274	December 1, 2023

Detect ping with size more than 65000 bytes

Related Topics