Rule Category

PROTOCOL-ICMP -- Snort alerted on Internet Control Message Protocol (ICMP) traffic, which allows hosts to send error messages about interruptions in traffic. Administrators can use ICMP to perform diagnostics and troubleshooting, but the protocol can also be used by attackers to gain information on a network. This protocol is vulnerable to several attacks, and many administrators block it altogether, or block selective messages.

Alert Message

PROTOCOL-ICMP Timestamp Request

Rule Explanation

This event is generated when an ICMP Timestamp request is made. Impact: Information gathering. An ICMP Timestamp request can determine if a host is active. Details: An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative. Ease of Attack: Simple

What To Look For

Known Usage

No public information

False Positives

Known false positives, with the described conditions

An ICMP Timestamp request may be used to legitimately troubleshoot networking problems.

Contributors

Original Rule Writer Unknown Cisco Talos Nigel Houghton Judy Novak Additional information by Steven Alexander<alexander.s@mccd.edu>

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Rule Vulnerability

CVE Additional Information