hamed_masoomi67 0 Posted October 9, 2019 Share Posted October 9, 2019 Hello I see some log in threads section.what is it? i disable the notification from Firewall-->IDS but it shows again What can i do for solving the Problem?? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted October 9, 2019 Administrators Share Posted October 9, 2019 Please make sure that detection of covert data in ICMP is disabled in Endpoint (it is off by default): Some applications may utilize ICMP in a non-standard way which is then reported. Link to comment Share on other sites More sharing options...
hamed_masoomi67 0 Posted October 9, 2019 Author Share Posted October 9, 2019 Thank you marcos I will check it Link to comment Share on other sites More sharing options...
hamed_masoomi67 0 Posted October 12, 2019 Author Share Posted October 12, 2019 Hello I did what you said marcos but i see the logs Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 12, 2019 Share Posted October 12, 2019 (edited) The source and target IP addresses all fall in the IANA private address range, 172.16.0.0 - 172.31.255.255. IP addresses in this range are not externally route-able. In other words, the ICMP Hidden traffic Eset is detecting is originating from and being directed to IP addresses within your local network. If you are using this private address range internally, you will most likely have to create an Eset IDS exception rule to exclude this address range from ICMP hidden channel detection. Ref.: https://whatismyipaddress.com/private-ip Edited October 12, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 13, 2019 Share Posted October 13, 2019 (edited) I will also add that this ICMP hidden channel activity needs to be examined in detail to determine the source of the ICMP activity. Whereas the source could be benign legitimate activity, it could also be the result of malicious activity as noted here: https://zeltser.com/reverse-icmp-shell/ For example, malware on the server or a device on the local network could be using ICMP hidden channel methods to gain access to other devices on the network. An example of such malware is Loki: https://resources.infosecinstitute.com/icmp-attacks/ Edited October 13, 2019 by itman Link to comment Share on other sites More sharing options...
hamed_masoomi67 0 Posted October 16, 2019 Author Share Posted October 16, 2019 Hello The problem solved Thanks you itman and marcos Link to comment Share on other sites More sharing options...
Recommended Posts