heroui logo

ICMP Timestamp or Information Request from the Internet

Elastic Detection Rules

View Source
Summary
Detections identify inbound ICMP Timestamp (type 13) or ICMP Information (type 15) requests originating from external sources targeting internal RFC1918 addresses. The rule consumes ICMP telemetry from the network_traffic icmp data stream and flags events where the ICMP request type is 13 or 15, the destination IP is private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and the source IP is not within common internal/reserved ranges (to minimize false positives from legitimate internal probes). This pattern is typically associated with host/path fingerprinting during reconnaissance or active scanning. MITRE ATT&CK mappings include T1018 Remote System Discovery (Discovery) and T1595 Active Scanning (Reconnaissance), with T1595.001 for Scanning IP Blocks. The rule has a risk_score of 21 and a severity of low. Setup requires ICMP telemetry via the network_traffic.icmp data stream. The rule is intended for network security monitoring and threat detection, with triage guidance, false-positive considerations, and remediation steps emphasizing perimeter controls, asset exposure checks, and enhanced monitoring for follow-on activity. false positives may arise from legacy monitoring or SLA probes; maintain validated exceptions for known sources. Response recommendations include blocking or rate-limiting unauthorized external sources and verifying internal hosts are not exposed to the Internet. The detection rule is designed as a network reconnaissance/scan indicator within a broader security operations workflow.
Categories
  • Network
Data Sources
  • Network Traffic
ATT&CK Techniques
  • T1018
  • T1595
  • T1595.001
Created: 2026-06-25