Juniper BGP Missing MD5

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Sigma rule (View on GitHub)

 1title: Juniper BGP Missing MD5
 2id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
 3status: test
 4description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
 5references:
 6    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
 7author: Tim Brown
 8date: 2023-01-09
 9modified: 2023-01-23
10tags:
11    - attack.initial-access
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.defense-evasion
15    - attack.credential-access
16    - attack.collection
17    - attack.t1078
18    - attack.t1110
19    - attack.t1557
20logsource:
21    product: juniper
22    service: bgp
23    definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
24detection:
25    keywords_bgp_juniper:
26        '|all':
27            - ':179' # Protocol
28            - 'missing MD5 digest'
29    condition: keywords_bgp_juniper
30fields:
31    - host
32falsepositives:
33    - Unlikely. Except due to misconfigurations
34level: low

References

Related rules

to-top