Threat signature for ICMP type

Makes sense it would log in all, unless you went into each VP and marked it as 'ignore'.  That was the challenge with creation of app - it overrides all other icmp apps and unless you create a new application group 'icmp-all' that included icmp and the customs....potential for things to be missed

Edit:  Actually, no...doesn't make sense on the VP now looking in depth.  Probably one of those PA gotchas

Thanks for crafting the signature!  I'm looking forward to seeing it in my lab (and potentially prod!)

Hello @TomYoung and @Chris_Johnston 

Thank you for the post.

What are we solving;
Identify the ICMP request and reply using a custom threat signature.

For ICMP response ( echo-response): 
In the custom vulnerability signature, the identity echo-response is easy as the context is available. 

The signature 44000, will work perfectly as we have selected icmp-rsp-code [ as 0] and you can also add icmp-rsp-type [ also as 0]. 

The threat logs is shown as below.

For ICMP request, that is echo request: 
This is hard to identify as in the custom vulnerability signature, there is no context to select "icmp-req-code" or "icmp-req-type".

The below line will match the payload in the icmp protocol.  

>>set threats vulnerability 44008 signature standard icmp-req-data and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context icmp-req-data

The best way to identify the response code is, please use the custom application identification with ICMP base and select the Type and code as follows.

CLI: show application icmp-echo-request
set application icmp-echo-request default ident-by-icmp-type type 8
set application icmp-echo-request default ident-by-icmp-type code 0
set application icmp-echo-request subcategory internet-utility
set application icmp-echo-request category general-internet
set application icmp-echo-request technology network-protocol
set application icmp-echo-request risk 1
set application icmp-echo-request parent-app icmp
[edit]

show threats
set threats vulnerability 44000 signature standard icmp-rsp-code and-condition "And Condition 1" or-condition "Or Condition 1" operator equal-to value 0
set threats vulnerability 44000 signature standard icmp-rsp-code and-condition "And Condition 1" or-condition "Or Condition 1" operator equal-to context icmp-rsp-code
set threats vulnerability 44000 signature standard icmp-rsp-code and-condition "And Condition 1" or-condition "Or Condition 1" operator equal-to negate no
set threats vulnerability 44000 signature standard icmp-rsp-code and-condition "And Condition 2" or-condition "Or Condition 1" operator equal-to value 0
set threats vulnerability 44000 signature standard icmp-rsp-code and-condition "And Condition 2" or-condition "Or Condition 1" operator equal-to context icmp-rsp-type
set threats vulnerability 44000 signature standard icmp-rsp-code and-condition "And Condition 2" or-condition "Or Condition 1" operator equal-to negate no
set threats vulnerability 44000 signature standard icmp-rsp-code order-free yes
set threats vulnerability 44000 signature standard icmp-rsp-code scope protocol-data-unit
set threats vulnerability 44000 default-action alert
set threats vulnerability 44000 threatname "ICMP echo response"
set threats vulnerability 44000 severity informational
set threats vulnerability 44000 direction both
set threats vulnerability 44000 affected-host client yes
set threats vulnerability 44000 affected-host server yes