Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
Sigma rule (View on GitHub)
1title: Cisco Sniffing
2id: b9e1f193-d236-4451-aaae-2f3d2102120d
3status: test
4description: Show when a monitor or a span/rspan is setup or modified
5author: Austin Clark
6date: 2019-08-11
7modified: 2023-01-04
8tags:
9 - attack.credential-access
10 - attack.discovery
11 - attack.t1040
12logsource:
13 product: cisco
14 service: aaa
15detection:
16 keywords:
17 - 'monitor capture point'
18 - 'set span'
19 - 'set rspan'
20 condition: keywords
21fields:
22 - CmdSet
23falsepositives:
24 - Admins may setup new or modify old spans, or use a monitor for troubleshooting
25level: medium
Related rules
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Sniffing - Linux
- Network Sniffing - MacOs
- New Network Trace Capture Started Via Netsh.EXE
- Potential Network Sniffing Activity Using Network Tools