<div dir="ltr">I&#39;m not sure I agree without additional context. ICMP exfil is a known technique. Wouldn&#39;t you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?<div><br></div><div>What I would recommend instead is simply adding the protocols to the ports. So, instead of &quot;top ports: 53, 80, 443, 8&quot; you would see: &quot;top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp&quot;</div><div><br></div><div>Would this be sufficient to solve the ICMP/port number confusion?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <span dir="ltr">&lt;<a href="mailto:jira@bro-tracker.atlassian.net" target="_blank">jira@bro-tracker.atlassian.net</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
    [ <a href="https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&amp;focusedCommentId=25900#comment-25900" rel="noreferrer" target="_blank">https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&amp;focusedCommentId=25900#comment-25900</a> ]<br>
<span class=""><br>
Adam Slagell commented on BIT-1571:<br>
-----------------------------------<br>
<br>
</span>Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries.<br>
<span class=""><br>
&gt; Connection summaries w/ IPv6 have poor readabiity<br>
&gt; -------------------------------------------------<br>
&gt;<br>
&gt;                 Key: BIT-1571<br>
&gt;                 URL: <a href="https://bro-tracker.atlassian.net/browse/BIT-1571" rel="noreferrer" target="_blank">https://bro-tracker.atlassian.net/browse/BIT-1571</a><br>
&gt;             Project: Bro Issue Tracker<br>
&gt;          Issue Type: Improvement<br>
&gt;          Components: BroControl<br>
&gt;    Affects Versions: 2.4<br>
&gt;            Reporter: Adam Slagell<br>
&gt;            Assignee: Daniel Thayer<br>
&gt;            Priority: Low<br>
&gt;             Fix For: 2,5<br>
&gt;<br>
&gt;         Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt<br>
&gt;<br>
&gt;<br>
&gt; The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails.<br>
<br>
<br>
<br>
--<br>
This message was sent by Atlassian JIRA<br>
</span>(v1000.5.0#72002)<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
bro-dev mailing list<br>
<a href="mailto:bro-dev@bro.org">bro-dev@bro.org</a><br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev" rel="noreferrer" target="_blank">http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev</a><br>
</div></div></blockquote></div><br></div>