Rule Category

PROTOCOL-ICMP -- Snort alerted on Internet Control Message Protocol (ICMP) traffic, which allows hosts to send error messages about interruptions in traffic. Administrators can use ICMP to perform diagnostics and troubleshooting, but the protocol can also be used by attackers to gain information on a network. This protocol is vulnerable to several attacks, and many administrators block it altogether, or block selective messages.

Alert Message

PROTOCOL-ICMP superscan echo

Rule Explanation

This event is generated when an ICMP Echo Request from the Windows based scanner SuperScan is detected. Impact: Information gathering. Details: SuperScan is a freely available Windows based scanner from Foundstone. The scanners default behavior is to send an ICMP Echo Request before starting the scan. This ICMP packet has a special payload of eight (8) bytes, consisting of the number zero (0). This scanner is fairly popular among Windows users. Ease of Attack: Simple. SuperScan is widely available.

What To Look For

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Tools other than SuperScan may generate echo requests with the same content.

Contributors

Original rule writer unknown Snort documentation contributed by Johan Augustsson <johan.augustsson@adm.gu.se> and Josh Gray Cisco Talos Nigel Houghton

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Rule Vulnerability

CVE Additional Information