Rule Category

PROTOCOL-ICMP -- Snort alerted on Internet Control Message Protocol (ICMP) traffic, which allows hosts to send error messages about interruptions in traffic. Administrators can use ICMP to perform diagnostics and troubleshooting, but the protocol can also be used by attackers to gain information on a network. This protocol is vulnerable to several attacks, and many administrators block it altogether, or block selective messages.

Alert Message

PROTOCOL-ICMP PING CyberKit 2.2 Windows

Rule Explanation

This event is generated when an ICMP echo request is made from a Windows host running CyberKit 2.2 software. Impact: Information gathering. An ICMP echo request can determine if a host is active. Details: An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running CyberKit 2.2 software contains a unique payload in the message request. Ease of Attack: Simple

What To Look For

No information provided

Known Usage

No public information

False Positives

Known false positives, with the described conditions

An ICMP echo request may be used to legimately troubleshoot networking problems.


Original rule written by Max Vision <> Documented by Steven Alexander<> Cisco Talos Judy Novak

Rule Groups

No rule groups



Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.