Think you have a false positive on this rule?

Sid 1-453

Message

PROTOCOL-ICMP Timestamp Request

Summary

This event is generated when an ICMP Timestamp request is made.

Impact

Information gathering. An ICMP Timestamp request can determine if a host is active.

Detailed information

An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules.

If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative.

Affected systems

  • All

Ease of attack

Simple

False positives

An ICMP Timestamp request may be used to legitimately troubleshoot networking problems.

False negatives

None known.

Corrective action

Block inbound ICMP Timestamp requests.

Contributors

  • Original Rule Writer Unknown
  • Cisco Talos
  • Nigel Houghton
  • Judy Novak
  • Additional information by Steven Alexanderalexander.s@mccd.edu

Additional References