PROTOCOL-ICMP -- Snort alerted on Internet Control Message Protocol (ICMP) traffic, which allows hosts to send error messages about interruptions in traffic. Administrators can use ICMP to perform diagnostics and troubleshooting, but the protocol can also be used by attackers to gain information on a network. This protocol is vulnerable to several attacks, and many administrators block it altogether, or block selective messages.
PROTOCOL-ICMP superscan echo
This event is generated when an ICMP Echo Request from the Windows based
scanner SuperScan is detected.
SuperScan is a freely available Windows based scanner from Foundstone.
The scanners default behavior is to send an ICMP Echo Request before
starting the scan. This ICMP packet has a special payload of eight (8) bytes,
consisting of the number zero (0).
This scanner is fairly popular among Windows users.
Ease of Attack:
Simple. SuperScan is widely available.
What To Look For
No public information
Known false positives, with the described conditions
Tools other than SuperScan may generate echo requests with the same content.
Original rule writer unknown
Snort documentation contributed by Johan Augustsson
<email@example.com> and Josh Gray
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information