PROTOCOL-ICMP -- Snort alerted on Internet Control Message Protocol (ICMP) traffic, which allows hosts to send error messages about interruptions in traffic. Administrators can use ICMP to perform diagnostics and troubleshooting, but the protocol can also be used by attackers to gain information on a network. This protocol is vulnerable to several attacks, and many administrators block it altogether, or block selective messages.
PROTOCOL-ICMP Timestamp Request
This event is generated when an ICMP Timestamp request is made.
Information gathering. An ICMP Timestamp request can determine if a host is active.
An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules.
If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative.
Ease of Attack:
What To Look For
No public information
Known false positives, with the described conditions
An ICMP Timestamp request may be used to legitimately troubleshoot networking problems.
Original Rule Writer Unknown
Additional information by Steven Alexander<firstname.lastname@example.org>
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information