Support #8328
openICMP error events are not reported
Description
I see suricata is not generating events for ICMP error messages due to the below code,
But I need to generate events for ICMP error messages.
if (PacketIsICMPv4(p)) {
if (ICMPV4_IS_ERROR_MSG(p->icmp_s.type)) {
return false;
}
}
#define ICMPV4_IS_ERROR_MSG(type) \
((type) ICMP_DEST_UNREACH || (type) ICMP_SOURCE_QUENCH || (type) ICMP_REDIRECT || \
(type) ICMP_TIME_EXCEEDED || (type) == ICMP_PARAMETERPROB)
Is this done intentionally?
Files
Updated by Rajkumar K 24 days ago ยท Edited
Victor Julien wrote in #note-1:
Can you share a test case?
Its a plain ICMP error, which is not associated with any ICMP requests as this is received while trying to reach any unreachable tcp/udp port.
Running suricata, with only this packet in the pcap does not produce any event because of the above code
Updated by Victor Julien 19 days ago
Would be good to include a test case with a pcap + rules + expected output, ideally as a SV PR here https://github.com/OISF/suricata-verify
Updated by Rajkumar K 19 days ago
- File icmp2-onlyreply.pcap icmp2-onlyreply.pcap added
- File icmp2-onlyerror.pcap icmp2-onlyerror.pcap added
Command used:
$ suricata -c suricata.yaml -l /var/log/suricata -k none -r icmp2-onlyerror.pcap
Expected output: (after icmp flow timeout) {"timestamp":"2026-03-03T08:51:29.714103+0000","flow_id":1508905420719829,"in_iface":"lanbr0","event_type":"flow","src_ip":"10.200.0.41","dest_ip":"8.8.8.8","ip_v":4,"proto":"ICMP","icmp_type":3,"icmp_code":3,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":130,"bytes_toclient":0,"start":"2026-03-03T08:51:17.678999+0000","end":"2026-03-03T08:51:17.678999+0000","age":0,"min_ttl_toserver":64,"max_ttl_toserver":64,"min_ttl_toclient":0,"max_ttl_toclient":0,"state":"new","reason":"timeout","alerted":false}}
Actual output:
Nothing
If I run suricata with a icamp pcap which does not have any error,
$ suricata -c suricata.yaml -l /var/log/suricata -k none -r icmp2-onlyreply.pcap
Output:(Getting the below output without any issue after the icmp flow timeout) {"timestamp":"2026-03-03T11:17:34.657318+0000","flow_id":1063593771973219,"in_iface":"lanbr0","event_type":"flow","src_ip":"142.250.183.174","dest_ip":"192.168.1.12","ip_v":4,"proto":"ICMP","icmp_type":0,"icmp_code":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":98,"bytes_toclient":0,"start":"2026-03-03T11:17:23.706389+0000","end":"2026-03-03T11:17:23.706389+0000","age":0,"min_ttl_toserver":119,"max_ttl_toserver":119,"min_ttl_toclient":64,"max_ttl_toclient":64,"state":"new","reason":"timeout","alerted":false}}
Updated by Rajkumar K 12 days ago
When the input has icmp request and the corresponding ICMP HOST UNREACHABLE ERROR, suricata skips the response and only creates events for the request.
$ suricata -c suricata.yaml -l /var/log/suricata -k none -r icmp-icmp-samehost-unreachable.pcap
Events seen,
{"timestamp":"2026-03-10T14:02:53.065700+0530","flow_id":1408080354461798,"event_type":"flow","src_ip":"10.200.0.56","dest_ip":"10.200.0.1","ip_v":4,"proto":"ICMP","icmp_type":8,"icmp_code":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":98,"bytes_toclient":0,"start":"2026-03-10T14:02:53.065700+0530","end":"2026-03-10T14:02:53.065700+0530","age":0,"min_ttl_toserver":64,"max_ttl_toserver":64,"min_ttl_toclient":0,"max_ttl_toclient":0,"state":"new","reason":"shutdown","alerted":false},"community_id":"1:CKMt9VsnLo2wsTSOIwP1Y7SHmE8="}
Is there a reason nehind this behaviour?