2854494: ETPRO INFO Citrix/GotoMyPC Jedi Remote Control Session 2 - ICMP Traffic
Immediately after this rule emerged across my NSM stacks, we started seeing FPs on it, all from Apple devices (both MacOS and iPhones).
I don’t have a raw packet but the Suricata eve.json field network.data.decoded reports the string “99 bottles of beer on the wall” preceded by 27 spaces. Perhaps the space prefixing or an exact match on icmp payload size may enable you to avoid these FPs where Apple devices are involved.
I was reading up on this and it looks likely related to Apple-SimplePing that likes to put the same odd phrase in the icmp payload.
Apple-SimplePing-Swift-4-master/Common/SimplePing.m: payload = [[NSString stringWithFormat:@“%28zd bottles of beer on the wall”, (ssize_t) 99 - (size_t) (self.nextSequenceNumber % 100) ] dataUsingEncoding:NSASCIIStringEncoding];
See GitHub - Xopoko/Apple-SimplePing-Swift-4: SimplePing example written in swift 4