Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Sigma rule (View on GitHub)
1title: Network Sniffing - Linux
2id: f4d3748a-65d1-4806-bd23-e25728081d01
3status: test
4description: |
5 Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
6 An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
9author: Timur Zinniatullin, oscd.community
10date: 2019-10-21
11modified: 2022-12-18
12tags:
13 - attack.credential-access
14 - attack.discovery
15 - attack.t1040
16logsource:
17 product: linux
18 service: auditd
19detection:
20 selection_1:
21 type: 'execve'
22 a0: 'tcpdump'
23 a1: '-c'
24 a3|contains: '-i'
25 selection_2:
26 type: 'execve'
27 a0: 'tshark'
28 a1: '-c'
29 a3: '-i'
30 condition: 1 of selection_*
31falsepositives:
32 - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
33level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Sniffing
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Sniffing - MacOs
- New Network Trace Capture Started Via Netsh.EXE
- Potential Network Sniffing Activity Using Network Tools