forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlarge_icmp_outbound.yml
More file actions
112 lines (112 loc) · 4.53 KB
/
large_icmp_outbound.yml
File metadata and controls
112 lines (112 loc) · 4.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
asset_type: Endpoint
confidence: medium
creation_date: '2018-06-01'
data_metadata:
data_models:
- Network_Traffic
data_source:
- Network Communications
providing_technologies:
- Bro
- Splunk Stream
- Palo Alto Firewall
description: This search looks for outbound ICMP packets with a packet size larger
than 1,000 bytes. Various threat actors have been known to use ICMP as a command
and control channel for their attack infrastructure. Large ICMP packets from an
endpoint to a remote host may be indicative of this activity.
detect:
splunk:
correlation_rule:
notable:
nes_fields: src_ip, dest_ip
rule_description: Large outbound ICMP packet detected.
rule_title: Large ICMP packet from $src_ip$ to $dest_ip$ detected
risk:
risk_object: src_ip
risk_object_type:
- system
risk_score: 50
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time)
as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic
where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp
OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip
All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` | search ( dest_ip!=10.0.0.0/8
AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`'
suppress:
suppress_fields: src_ip
suppress_period: 28800s
eli5: This search works by looking at fields in the Network_Traffic data model, which
is populated by various firewalls and passive networking monitoring technologies.
Specifically, the search looks for ICMP packets larger than 1,000 bytes with a destination
that is external to your organization.
entities:
- src_ip
how_to_implement: 'In order to run this search effectively, we highly recommend that
you leverage the Assets and Identity framework. It is important that you have a
good understanding of how your network segments are designed and that you are able
to distinguish internal from external address space. Add a category named `internal`
to the CIDRs that host the company''s assets in the `assets_by_cidr.csv` lookup
file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`.
More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata.
This search also requires you to be ingesting your network traffic and populating
the Network_Traffic data model'
id: e9c102de-4d43-42a7-b1c8-8062ea297419
investigations:
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
name: Get Authentication Logs For Endpoint
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d55
name: Get Risk Modifiers For User
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
name: Get Process Info
type: splunk
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
name: Get Notable Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d65
name: Get Risk Modifiers For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
name: Get User Information from Identity Table
type: splunk
known_false_positives: ICMP packets are used in a variety of ways to help troubleshoot
networking issues and ensure the proper flow of traffic. As such, it is possible
that a large ICMP packet could be perfectly legitimate. If large ICMP packets are
associated with command and control traffic, there will typically be a large number
of these packets observed over time. If the search is providing a large number of
false positives, you can modify the search to adjust the byte threshold or whitelist
specific IP addresses, as necessary.
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
mappings:
cis20:
- CIS 9
- CIS 12
kill_chain_phases:
- Command and Control
mitre_attack:
- Command and Control
- Standard Non-Application Layer Protocol
nist:
- DE.AE
modification_date: '2018-06-01'
name: Detect Large Outbound ICMP Packets
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
references: []
security_domain: network
spec_version: 2
type: splunk
version: '2.0'