Suricata

You are correct. There is no specific detection for such cases. What do you have in mind?

First of all, by detecting I would setup a flow to avoid any additional work for alerting further traffic between src and dest.
Just have a rule to alert all the ICMP traffic within a flow.

Secondary, seems like I need a kind of transactions hash-map (I saw this kind of thing in DNS at app level) with a copy of initial Packet.

• for request I need to create a transaction, copy the packet and store the copy in the transaction.
• for reply I need to find a transaction and check the payload.
  • No transaction -- create a flow and raise alert (return 1 from detecting module)
  • Payload mismatch -- create a flow, add initial packet for processing with the flow, update the flow for the current packet (drop the transaction)
  • No mismatch -- just drop the transaction.

Could you please comment how reasonable it is, what are the pitfalls with threading model, etc?

Hi,

Sorry for chasing, but is proposal completely wrong?

The flow tracking for (some) ICMP is now done. The rest of the logic will be non-trivial, as ICMP packets are not sent to the app-layer API where the DNS parser lives.