Simple policy to detect ICMP Scans
Following functionality are provided by the script
1) Package identifies icam scanning
Installation
bro-pkg install bro/initconf/icmp-scans
or @load icmp-scans/scripts
Detailed Notes:
Detail Alerts and descriptions: Following alerts are generated by the script:
Heuristics are simple: check for different kinds icmp connections and if they cross a certain threshold generate notice.
(This version uses broker::auto_publish. I do intend to update the script to use cluster_hrw events which are more efficient as well as meaningful in this case.
This should generate following Kinds of notices:
Example notice:
1) ICMP::AddressMaskScan - An address mask request message reveals the subnet mask used by the
target host. This information is useful when mapping networks and
identifying the size of subnets and network spaces used by organizations.
2) ICMP::ICMPAddressScan - Primarily flags ICMP echo-request/replies also known as ping scanning.
3) ICMP::InfoRequestScan - The ICMP information request message was intended to support self-configuring
systems such as diskless workstations at boot time, to allow them to discover
their network address. Protocols such as RARP, BOOTP, or DHCP do so more
robustly, so type 15 messages are rarely used.
4) ICMP::TimestampScan - A timestamp request message requests system time information from the target
host. The response is in a decimal format and is the number of milliseconds
elapsed since midnight GMT.
5) ICMP::ScanSummary - general summaries of ICMP scan. How many hosts over how much time.
Ref: http://etutorials.org/Networking/network+security+assessment/Chapter+4.+IP+Network+Scanning/4.1+ICMP+Probing/