ICMP Header Values
The system supports keywords that you can use to identify attacks and security policy violations in the headers of ICMP packets. Note, however, that predefined rules exist that detect most ICMP types and codes. Consider enabling an existing rule or creating a local rule based on an existing rule; you may be able to find a rule that meets your needs more quickly than if you build an ICMP rule from scratch.
icmp_id and icmp_seq
The ICMP identification and sequence numbers help associate ICMP replies with ICMP requests. In normal traffic, these values are dynamically assigned to packets. Some covert channel and Distributed Denial of Server (DDoS) programs use static ICMP ID and sequence values. The following keywords allow you to identify ICMP packets with static values.
|
Keyword |
Definition |
|---|---|
|
icmp_id |
Inspects an ICMP echo request or reply packet's ICMP ID number.
Use a numeric value that corresponds with the ICMP ID number as the argument
for the
|
|
icmp_seq |
The
|
itype
Use the
itype keyword to look for packets with specific ICMP
message type values. You can specify either a valid ICMP type value or an
invalid ICMP type value to test for different types of traffic. For example,
attackers may set ICMP type values out of range to cause denial of service and
flooding attacks.
You can specify a range for the
itype argument value using less than (<) and greater
than (>).
For example:
-
<35
-
>36
-
3<>55
icode
ICMP messages sometimes include a code value that provides details when a destination is unreachable.
You can use the
icode keyword to identify packets with specific ICMP
code values. You can choose to specify either a valid ICMP code value or an
invalid ICMP code value to test for different types of traffic.
You can specify a range for the
icode argument value using less than (<) and greater
than (>).
For example:
-
to find values less than 35, specify
<35. -
to find values greater than 36, specify
>36. -
to find values between 3 and 55, specify
3<>55.
Tip | You can use the
|