Huawei BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Sigma rule (View on GitHub)

 1title: Huawei BGP Authentication Failures
 2id: a557ffe6-ac54-43d2-ae69-158027082350
 3status: test
 4description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
 5references:
 6    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
 7author: Tim Brown
 8date: 2023-01-09
 9modified: 2023-01-23
10tags:
11    - attack.initial-access
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.defense-evasion
15    - attack.credential-access
16    - attack.collection
17    - attack.t1078
18    - attack.t1110
19    - attack.t1557
20logsource:
21    product: huawei
22    service: bgp
23    definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
24detection:
25    keywords_bgp_huawei:
26        '|all':
27            - ':179' # Protocol
28            - 'BGP_AUTH_FAILED'
29    condition: keywords_bgp_huawei
30fields:
31    - host
32    - PeeId
33falsepositives:
34    - Unlikely. Except due to misconfigurations
35level: low

References

Related rules

to-top