EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect Large ICMP Traffic

The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.

MITRE ATT&CK

T1095

Detection Query

| tstats `security_content_summariesonly`
          count earliest(_time) as firstTime
                latest(_time) as lastTime
                values(All_Traffic.action) as action
from datamodel=Network_Traffic where
All_Traffic.bytes > 1000
All_Traffic.action != blocked
AND
(
    All_Traffic.protocol=icmp
    OR
    All_Traffic.transport=icmp
)
NOT All_Traffic.dest_ip IN (
        "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
        "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
        "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
        "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)

by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol
   All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
   All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
   All_Traffic.protocol_version All_Traffic.src_port
   All_Traffic.user All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| iplocation dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_large_icmp_traffic_filter`

Author

Rico Valdez, Dean Luxton, Bhavin Patel, Splunk

Created

2026-03-23

Data Sources

Palo Alto Network Traffic

Tags

Command And ControlChina-Nexus Threat ActivityBackdoor Pingpong
Raw Content
name: Detect Large ICMP Traffic
id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8
version: 5
date: '2026-03-23'
author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk
status: production
type: TTP
description: |
    The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes.
    It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities.
    If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
data_source:
    - Palo Alto Network Traffic
search: |-
    | tstats `security_content_summariesonly`
              count earliest(_time) as firstTime
                    latest(_time) as lastTime
                    values(All_Traffic.action) as action
    from datamodel=Network_Traffic where
    All_Traffic.bytes > 1000
    All_Traffic.action != blocked
    AND
    (
        All_Traffic.protocol=icmp
        OR
        All_Traffic.transport=icmp
    )
    NOT All_Traffic.dest_ip IN (
            "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
            "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
            "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
            "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
            "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
    )

    by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol
       All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
       All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
       All_Traffic.protocol_version All_Traffic.src_port
       All_Traffic.user All_Traffic.vendor_product
    | `drop_dm_object_name("All_Traffic")`
    | iplocation dest_ip
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `detect_large_icmp_traffic_filter`
how_to_implement: |
    The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: |
    ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_icmp_traffic_filter` to adjust the byte threshold or add specific IP addresses to an allow list.
references: []
drilldown_searches:
    - name: View the detection results for - "$src_ip$" and "$dest_ip$"
      search: '%original_detection_search% | search  src_ip = "$src_ip$" dest_ip = "$dest_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$
    risk_objects:
        - field: dest_ip
          type: system
          score: 50
        - field: src_ip
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Command And Control
        - China-Nexus Threat Activity
        - Backdoor Pingpong
    asset_type: Endpoint
    mitre_attack_id:
        - T1095
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log
          sourcetype: pan:traffic
          source: not_applicable