[New Rule] Potential ICMP Tunneling Activity to the Internet#6352
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Pull request overview
Adds a new network new_terms detection rule to identify potential ICMP tunneling/covert-channel activity by flagging unusually large ICMP Echo transactions from internal sources to external destinations.
Changes:
- Introduces a new
new_termsrule targeting large ICMP Echo request traffic to the internet. - Adds an investigation guide, setup requirements, and MITRE ATT&CK mappings for ICMP tunneling context.
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Nice. Did you test ICMP tunneling tools such as e.g. Hans? https://github.com/albertzak/hanstunnel
Yes, not with Hans prior to this, but adding a test info for Hans specifically here. This rule will not detect the creation or initial setup of the ICMP tunnel as this can be done with small echo packets. E.g. Me setting up some tunnels on a local machine (network bytes usually around < 100 )
But will will detect when the tunnels are used (they will generally go above the 256 byte threshold).
|
|
⛔️ Test failed Results
|



Pull Request
Issue link(s):
Summary - What I changed
Adds a new
new_termsnetwork detection rule that identifies sustained ICMP Echo traffic from an internal host to an external destination with larger-than-typical transaction sizes. ICMP tunneling tools and covert channels can embed command-and-control or exfiltrated data in echo request and reply payloads, which may stand out from normal fixed-size ping behavior.How To Test
RTA and shared data in stack.

Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist