ICMP Hidden Channel

[hamed_masoomi67 0]

Hello 

I see some log in threads section.what is it?

i disable the notification from Firewall-->IDS but it shows again

What can i do for solving the Problem??

[Marcos 5,070]

Please make sure that detection of covert data in ICMP is disabled in Endpoint (it is off by default):

Some applications may utilize ICMP in a non-standard way which is then reported.

[hamed_masoomi67 0]

Thank you marcos

I will check it

[hamed_masoomi67 0]

Hello

I did what you said marcos but i see the logs

 

[itman 1,659]

The source and target IP addresses all fall in the IANA private address range, 172.16.0.0 - 172.31.255.255. IP addresses in this range are not externally route-able. In other words, the ICMP Hidden traffic Eset is detecting is originating from and being directed to IP addresses within your local network. If you are using this private address range internally, you will most likely have to create an Eset IDS exception rule to exclude this address range from ICMP hidden channel detection.

Ref.: https://whatismyipaddress.com/private-ip

Edited October 12, 2019 by itman

[itman 1,659]

I will also add that this ICMP hidden channel activity needs to be examined in detail to determine the source of the ICMP activity. Whereas the source could be benign legitimate activity, it could also be the result of malicious activity as noted here: https://zeltser.com/reverse-icmp-shell/

For example, malware on the server or a device on the local network could be using ICMP hidden channel methods to gain access to other devices on the network. An example of such malware is Loki: https://resources.infosecinstitute.com/icmp-attacks/

 

Edited October 13, 2019 by itman

[hamed_masoomi67 0]

Hello

The problem solved

Thanks you itman and marcos