Cisco BGP Authentication Failures

Dec 1, 2023 · attack.initial_access attack.persistence attack.privilege_escalation attack.defense_evasion attack.credential_access attack.collection attack.t1078 attack.t1110 attack.t1557 ·

Share on:

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Sigma rule (View on GitHub)

 1title: Cisco BGP Authentication Failures
 2id: 56fa3cd6-f8d6-4520-a8c7-607292971886
 3status: test
 4description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
 5references:
 6    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
 7author: Tim Brown
 8date: 2023/01/09
 9modified: 2023/01/23
10tags:
11    - attack.initial_access
12    - attack.persistence
13    - attack.privilege_escalation
14    - attack.defense_evasion
15    - attack.credential_access
16    - attack.collection
17    - attack.t1078
18    - attack.t1110
19    - attack.t1557
20logsource:
21    product: cisco
22    service: bgp
23    definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
24detection:
25    keywords_bgp_cisco:
26        '|all':
27            - ':179' # Protocol
28            - 'IP-TCP-3-BADAUTH'
29    condition: keywords_bgp_cisco
30fields:
31    - tcpConnLocalAddress
32    - tcpConnRemAddress
33falsepositives:
34    - Unlikely. Except due to misconfigurations
35level: low

References

%PDF-1.2 %âãÏÓ 193 0 obj endobj xref 193 15 0000000016 00000 n 0000001151 00000 n 0000000596 00000 n 0000001216 00000 n 0000001438 00000 n 0000002120 00000 n 0000002855 00000 n 0000003605 00000 n 0...

Read More

Cisco BGP Authentication Failures

Sigma rule (View on GitHub)

References

Related rules