NXLog search
Let's talk Start free
Let's talk Start free

NXLog Legacy Documentation

ICMP (Internet Control Message Protocol)

What is ICMP?

Description

ICMP is a network layer protocol utilized by network devices to diagnose communication problems. ICMP is mainly used to determine whether data is reaching its intended destination promptly. In addition, network devices, such as routers, use the ICMP protocol for error reporting when network problems prevent the delivery of data packets.

Hackers also found a way to use ICMP messages maliciously, such as ping of death (PoD) attacks, Smurf attacks, and ping flood attacks. While few networks are vulnerable to PoD and Smurf attacks today, most systems are still affected by ping flood attacks.

In the world of NXLog

In corporate networks, ICMP traffic commonly indicates ping requests, and a certain amount of ICMP traffic is usually expected. However, a sharp increase in ICMP traffic during a short period usually points to malicious activity. Therefore, ICMP traffic is worth monitoring.

NXLog provides the im_pcap input module to capture network traffic. You can then define a threshold for expected ICMP traffic with the pm_evcorr module and generate alerts if exceeded.

Known as

ICMP, ICMP protocol, Internet Control Message Protocol

Related

Detecting unusual ICMP traffic levels Event correlation Packet capture (im_pcap)

A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   R   S   T   U   V   W   X   Z

A

agent

agent-based log collection

agentless log collection

audit log

B

bandwidth

C

CEF (Common Event Format)

CSV (Comma-separated Values)

D

data source

DNS logging

E

endpoint security

EPS (Events Per Second)

ETW (Event Tracing for Windows)

event correlation

F

failover

G

GELF (Graylog Extended Log Format)

H

High Availability (HA)

I

ICMP (Internet Control Message Protocol)

IDS (Intrusion Detection System)

J

JSON (JavaScript Object Notation)

K

kernel log

KVP (Key-Value Pair)

L

LEEF (Log Event Extended Format)

log centralization

log normalization

log parsing

M

MSSP (Managed Security Service Provider)

multi-line logs

N

NetFlow

O

open source

P

pattern

PCI-DSS (Payment Card Industry Data Security Standard)

protocol

R

Raijin database

Remote Access Server Role

S

SCCM (System Center Configuration Manager)

SEM (Security Event Management)

SIM (Security Information Management)

SIEM (Security Information and Event Management)

SNMP (Simple Network Management Protocol)

SOC (Security Operations Center)

structured logging

syslog

T

TCP (Transmission Control Protocol)

TLS (Transport Layer Security)/SSL (Secure Sockets Layer)

U

UEBA (User and Entity Behavior Analytics)

UDP (User Datagram Protocol)

V

vendor-agnostic

W

W3C Extended Log File Format

WEC (Windows Event Collector)

WEF (Windows Event Forwarding)

Windows Event ID

WMI (Windows Management Instrumentation)

X

XPath

Z

ZeroMQ