Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
Sigma rule (View on GitHub)
1title: Huawei BGP Authentication Failures
2id: a557ffe6-ac54-43d2-ae69-158027082350
3status: test
4description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
5references:
6 - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
7author: Tim Brown
8date: 2023-01-09
9modified: 2023-01-23
10tags:
11 - attack.initial-access
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.credential-access
16 - attack.collection
17 - attack.t1078
18 - attack.t1110
19 - attack.t1557
20logsource:
21 product: huawei
22 service: bgp
23 definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
24detection:
25 keywords_bgp_huawei:
26 '|all':
27 - ':179' # Protocol
28 - 'BGP_AUTH_FAILED'
29 condition: keywords_bgp_huawei
30fields:
31 - host
32 - PeeId
33falsepositives:
34 - Unlikely. Except due to misconfigurations
35level: low
References
Related rules
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Juniper BGP Missing MD5
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address