FPs on new sig 2854494

2854494: ETPRO INFO Citrix/GotoMyPC Jedi Remote Control Session 2 - ICMP Traffic

Immediately after this rule emerged across my NSM stacks, we started seeing FPs on it, all from Apple devices (both MacOS and iPhones).

I don’t have a raw packet but the Suricata eve.json field network.data.decoded reports the string “99 bottles of beer on the wall” preceded by 27 spaces. Perhaps the space prefixing or an exact match on icmp payload size may enable you to avoid these FPs where Apple devices are involved.

I was reading up on this and it looks likely related to Apple-SimplePing that likes to put the same odd phrase in the icmp payload.

Apple-SimplePing-Swift-4-master/Common/SimplePing.m: payload = [[NSString stringWithFormat:@“%28zd bottles of beer on the wall”, (ssize_t) 99 - (size_t) (self.nextSequenceNumber % 100) ] dataUsingEncoding:NSASCIIStringEncoding];

See GitHub - Xopoko/Apple-SimplePing-Swift-4: SimplePing example written in swift 4

Thanks for the report @kevin_branch

I was pretty surprised when I noticed this ICMP payload, but I was even more surprised when you reported FPs on it!

In the pcap I collected during my testing of GoToMyPC - I observed the spaces, but it appears I see 26 spaces.

Can you confirm the count of 27 spaces in your observed FPs? If so, I can put in a tune for the 26 spaces and hopefully that will eliminate the FP.

In practice I’ve only seen the ICMPs go down to 97 (and then start over). So that could be another tune. I’m guessing due to the threshold in the rule, you’re only seeing alerts on the first “99”, even if the ICMP Payload does decrease by one every time.

It also looks like the ICMP Sequence number resets to 0 every time the payload of “99”. Do the FPs alerts that you have observed also include a Sequence Number of 0?