How to create ICMP alerts per packet

orloffdd · November 28, 2023, 11:02pm

Hi,
I am trying to use simple test rule:
alert ip any any → any any (msg:”ICMP Ping”, ip_proto: icmp; sid: 1000001;)
for logging icmp packets

But suricata create only 2 alerts such as
ICMP Ping 192.168.0.117 → 192.168.0.114
ICMP Ping 192.168.0.114 → 192.168.0.117

I need more alerts if ping will continue or restart, but suricata don’t create them for several minutes

How to fix it?
Thanks for help

vjulien · December 1, 2023, 8:56am

The rule is considered an “ip only” rule which is matched only once per flow, and the icmp echo/echo reply is tracked as a flow.

You can add a condition to the rule to make it a per packet rule (e.g. dsize:>0; or icode:8;), then it should alert per packet.

Topic		Replies	Views
How to make suricata alert per packet when it is matched Rules	3	1339	March 22, 2022
I can only see the first alert of a rule Help	2	1686	December 15, 2020
Testing ping alert rule Rules suricata	5	3257	July 27, 2022
Alert for every drop/alert Help	2	62	April 27, 2024
Alert once per connection with Suricata rules Rules aws	9	1014	April 12, 2023