uncommon_icmp_reject

Suggest Edits

Explanation

The uncommon_icmp_reject event is triggered when the Netography Detection Module (NDM) detects network flows for ICMP messages that indicate that there is traffic on the network that is being administratively prohibited (blocked).

What to Look For

Typically, these ICMP messages are sent in response to traffic that is being blocked by a firewall, either at the host or network level. In some cases this could be a sign that a network is compromised, and the attacker is running scans or attempting to access parts of the network that are firewalled. These events could also be triggered by misconfigurations or authorized network scanning activity.

Updated 13 days ago