Think you have a false positive on this rule?

Sid 1-453


PROTOCOL-ICMP Timestamp Request


This event is generated when an ICMP Timestamp request is made.


Information gathering. An ICMP Timestamp request can determine if a host is active.

Detailed information

An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules.

If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative.

Affected systems

  • All

Ease of attack


False positives

An ICMP Timestamp request may be used to legitimately troubleshoot networking problems.

False negatives

None known.

Corrective action

Block inbound ICMP Timestamp requests.


  • Original Rule Writer Unknown
  • Cisco Talos
  • Nigel Houghton
  • Judy Novak
  • Additional information by Steven

Additional References