hello, can you help me to detect ping with size more than 65000 bytes with suricata
Probably with a combination of icmp and dsize keywords:
hello victor, I have used dsize in the rules I created. but when testing, no warning appears in fast.log here are the rules I made
alert icmp any any → any any (msg : "Ping Big Size Detected; dsize:>65000; classtype:bad-unknown; sid:1000002; rev:5;)
is there something wrong with the alert I made? please help me thank you
Your test rule is correct.
Problably your icmp request is getting fragmented, so each fragment is smaller than your dsize definition.
what should I do, so that fast.log will give a warning about the rules that I have created?
Sorry to jump in, just a suggestion - non rule based.
If needed you can visualize that easily by using the flow logs that Suricata produces in Kibana/Splunk etc with somthing like this below:
(KIbana tested query below)
(proto:"ICMP" OR proto:"IPv6-ICMP") AND (flow.bytes_toclient:>65000 OR flow.bytes_toserver:>65000 ) ``
@Mada do you have a pcap for testing ?