PROTOCOL-ICMP -- Snort alerted on Internet Control Message Protocol (ICMP) traffic, which allows hosts to send error messages about interruptions in traffic. Administrators can use ICMP to perform diagnostics and troubleshooting, but the protocol can also be used by attackers to gain information on a network. This protocol is vulnerable to several attacks, and many administrators block it altogether, or block selective messages.
PROTOCOL-ICMP traceroute
This event is generated when a Windows traceroute (tracert) is detected. Impact: Information gathering. A traceroute can be used to discover live hosts and network topologies. Details: A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topologies. The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host. Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit. A router sends this ICMP error message to the host running traceroute. The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. Additionally There are at least three different implementations of traceroute. In one implementation traceroute works by sending an ICMP Echo Request packet to a destination host with a TTL value of 1. If the host is more than one hop away, the first route that receives the back will send back an ICMP packet indicating that the TTL was exceeded. The address of this router is then listed as the first hop. The packet is then sent out again with a TTL of 2. This continues until the destination host is able to reply or some maximum TTL value is reached. The other two implementations use the same TTL-based concept with an ICMP type of 30(traceroute) or with an UDP packet destined for an ephemeral port. Ease of Attack: Simple
Traceroute detection
No public information
Known false positives, with the described conditions
The traceroute command may be used to legitimately troubleshoot networking problems.
Original Rule Writer Max Vision <vision@whitehats.com> Cisco Talos Judy Novak Nigel Houghton Snort documentation contributed by by Steven Alexander<alexander.s@mccd.edu>
No rule groups
None
No information provided
None
Tactic: Discovery
Technique:
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
