Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Sigma rule (View on GitHub)

 1title: Cisco LDP Authentication Failures
 2id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
 3status: test
 4description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
 5references:
 6    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
 7author: Tim Brown
 8date: 2023/01/09
 9tags:
10    - attack.initial_access
11    - attack.persistence
12    - attack.privilege_escalation
13    - attack.defense_evasion
14    - attack.credential_access
15    - attack.collection
16    - attack.t1078
17    - attack.t1110
18    - attack.t1557
19logsource:
20    product: cisco
21    service: ldp
22    definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
23detection:
24    selection_protocol:
25        - 'LDP'
26    selection_keywords:
27        - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
28        - 'TCPMD5AuthenFail'
29    condition: selection_protocol and selection_keywords
30fields:
31    - tcpConnLocalAddress
32    - tcpConnRemAddress
33falsepositives:
34    - Unlikely. Except due to misconfigurations
35level: low

References

Related rules

to-top