This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What's on your wire: The curious case of ICMP Tunneling

Anonymous
Not applicable
‎2019-02-26 08:59 AM

I've come across ICMP tunneling only a handful of times, but this was the first time I had seen it used as part of a VPN client.  The VPN client was SoftEther VPN and, in addition to SSL VPN, it can also perform ICMP and DNS tunneling.  During a recent hunting engagement, I had the opportunity to identify and create content to detect this activity.

 

Let's have a look.

 

pastedImage_1.png

 

I drilled into ICMP traffic (ip.proto = 1) and then looked at Session Characteristics (analysis.session).  This led me to the meta 'icmp large session'.  Previously, I had created meta to describe when sessions had 'session.split' meta.  Session.split occurs when a session is either very large or very long.  You can find more about session.split in a previous post I wrote here.  However, one simple way to identify when session.split exists, is to simply write an application rule.  

 

pastedImage_2.png

 

As we look at the sessions associated with this activity, we see the following:

 

pastedImage_3.png

 

The data called out above is around the transmitted (requestpayload) and received (responsepayload) as well as the payload size and overall size of the session.  If you've ever looked at ICMP traffic before, its typically small.  This is not small.

 

Furthermore, this does not look like typical ICMP traffic as shown below:

 

pastedImage_4.png

 

With RSA Netwitness Packets, we have an opportunity to describe our network traffic pretty effectively.  When I saw this traffic, I wanted to improve some of the meta I had to describe the size.  The one below will let me know if a session is greater than 1mb.

 

pastedImage_5.png

 

Now, circling back to the ICMP tunneling, we can do this with another application rule.

 

pastedImage_6.png

 

By taking these steps, I am now better equipped at identifying ICMP tunneling when I observe it.

 

App Rules
name="session split" rule="session.split exists" alert=analysis.session type=application
name="session size greater than 1mb" rule="streams=2 && size=1024000 -u" alert=analysis.session type=application
name=possible_icmp_tunneling rule="ip.proto=1 && session.split exists && analysis.session = 'icmp large session' && analysis.session = 'session size greater than 1mb'" alert=ioc type=application

 

Note that 'session split' and 'session size greater than 1mb' should be before the 'possible_icmp_tunneling' rule.  Order is important.

 

I'll try to get some DNS tunneling created with this SoftEther VPN client soon.

 

Good luck and happy hunting.

© 2022 RSA Security LLC or its affiliates. All rights reserved.