NXLog Docs

ICMP (Internet Control Message Protocol)

What is ICMP?

Description

ICMP is a network layer protocol utilized by network devices to diagnose communication problems. ICMP is mainly used to determine whether data is reaching its intended destination promptly. In addition, network devices, such as routers, use the ICMP protocol for error reporting when network problems prevent the delivery of data packets.

Hackers also found a way to use ICMP messages maliciously, such as ping of death (PoD) attacks, Smurf attacks, and ping flood attacks. While few networks are vulnerable to PoD and Smurf attacks today, most systems are still affected by ping flood attacks.

In the world of NXLog

In corporate networks, ICMP traffic commonly indicates ping requests, and a certain amount of ICMP traffic is usually expected. However, a sharp increase in ICMP traffic during a short period usually points to malicious activity. Therefore, ICMP traffic is worth monitoring.

NXLog provides the im_pcap input module to capture network traffic. You can then define a threshold for expected ICMP traffic with the pm_evcorr module and generate alerts if exceeded.

Known as

ICMP, ICMP protocol, Internet Control Message Protocol

Related

Detecting unusual ICMP traffic levels Event correlation Packet capture (im_pcap)


A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   R   S   T   U   V   W   X   Z

X

Z