Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
Sigma rule (View on GitHub)
1title: Cisco Sniffing
2id: b9e1f193-d236-4451-aaae-2f3d2102120d
3status: test
4description: Show when a monitor or a span/rspan is setup or modified
5author: Austin Clark
6date: 2019/08/11
7modified: 2023/01/04
8tags:
9 - attack.credential_access
10 - attack.discovery
11 - attack.t1040
12logsource:
13 product: cisco
14 service: aaa
15detection:
16 keywords:
17 - 'monitor capture point'
18 - 'set span'
19 - 'set rspan'
20 condition: keywords
21fields:
22 - CmdSet
23falsepositives:
24 - Admins may setup new or modify old spans, or use a monitor for troubleshooting
25level: medium
Related rules
- Network Sniffing - Linux
- Network Sniffing - MacOs
- Cisco Show Commands Input
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- Automated Collection Bookmarks Using Get-ChildItem PowerShell