Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Sigma rule (View on GitHub)
1title: Cisco LDP Authentication Failures
2id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
3status: test
4description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
5references:
6 - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
7author: Tim Brown
8date: 2023-01-09
9tags:
10 - attack.initial-access
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.defense-evasion
14 - attack.credential-access
15 - attack.collection
16 - attack.t1078
17 - attack.t1110
18 - attack.t1557
19logsource:
20 product: cisco
21 service: ldp
22 definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
23detection:
24 selection_protocol:
25 - 'LDP'
26 selection_keywords:
27 - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
28 - 'TCPMD5AuthenFail'
29 condition: selection_protocol and selection_keywords
30fields:
31 - tcpConnLocalAddress
32 - tcpConnRemAddress
33falsepositives:
34 - Unlikely. Except due to misconfigurations
35level: low
References
-
%PDF-1.2 %âãÏÓ 193 0 obj endobj xref 193 15 0000000016 00000 n 0000001151 00000 n 0000000596 00000 n 0000001216 00000 n 0000001438 00000 n 0000002120 00000 n 0000002855 00000 n 0000003605 00000 n 0...
Read More
Related rules
- Cisco BGP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address