Ping rule to detect

stetnt4 · October 13, 2023, 8:27pm

Hello!I use a rule to detect ping, how can I make it work not from the first packet, let’s say from 4?
alert icmp any any → $HOME_NET any (msg:“ICMP detected”; flow: to_server; GID:1; sid:10000001; rev:001; classtype:attempted-recon;)

sbhardwaj · October 14, 2023, 2:31pm

I suppose one way could be flowint: 8.11. Flow Keywords — Suricata 7.0.2-dev documentation

stetnt4 · October 14, 2023, 7:38pm

It doesn’t work, I tried many options
alert icmp any any → $HOME_NET any (msg:“ICMP detected”; flow: to_server; GID:1; sid:10000001; rev:001; classtype:attempted-recon; \
flowint:icmp_count, +, 1; flowint:icmp_count, >, 5;)

stetnt4 · October 16, 2023, 12:28pm

tell me what’s wrong?

lukashino · October 16, 2023, 9:55pm

It doesn’t work, I tried many options

What does it do? Does it not alert at all? Does it alert on every ping anyway?

I would try to also split it in multiple rules like this (from docs):

alert tcp any any → any any (msg:“Start a login count”; content:“login failed”;
flowint:loginfail, notset; flowint:loginfail, =, 1; noalert;)
So we detect the initial fail if the variable is not yet set and set it to 1 if so. Our first hit.
alert tcp any any → any any (msg:“Counting Logins”; content:“login failed”;
flowint:loginfail, isset; flowint:loginfail, +, 1; noalert;)
We are now incrementing the counter if it’s set.
alert tcp any any → any any (msg:“More than Five login fails in a Stream”;
content:“login failed”; flowint:loginfail, isset; flowint:loginfail, >, 5;)
alert tcp any any → any any (msg:“Start a login count”; content:“login failed”;
flowint:loginfail, notset; flowint:loginfail, =, 1; noalert;)
So we detect the initial fail if the variable is not yet set and set it to 1 if so. Our first hit.

At the same time, maybe instead of flowint you would want to use thresholds/rate-limit?
https://docs.suricata.io/en/latest/configuration/global-thresholds.html#threshold-event-filter

stetnt4 · October 17, 2023, 6:37am

my rule works for every packet if you add flowint :icmp_count, +, 1; flowint:icmp_count, >, 5;), then it stops working altogether

Philippe_Antoine · October 19, 2023, 8:03pm

If you put both flowint :icmp_count, +, 1; flowint:icmp_count, >, 5;) in the same rule, the rule does not trigger because icmp_count can never get above 5 (because it gets increased only if the rule matches)

So, you can split in 2 rules one with flowint :icmp_count, +, 1; and use noalert; keyword, and another one with flowint:icmp_count, >, 5;)

stetnt4 · October 25, 2023, 12:10pm

Thank you! Everything works

Topic		Replies	Views
Flowint example is odd Rules	2	241	August 9, 2023
Can not get SSH alert	7	221	November 27, 2023
Question about SSH SCAN rule Help suricata	1	855	November 16, 2022
ICMP issue with non-default action order Help rules	4	1261	September 10, 2021
Query about custom rule	12	146	December 18, 2023

Ping rule to detect

Related Topics