sigmaDRL-1.1from SigmaHQ/sigma

Cisco BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Quality

100

FP risk

—

Forks

Views

ATT&CK techniques

T1078 T1110 T1557

Rule sourcerules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml

title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.credential-access
    - attack.collection
    - attack.t1078
    - attack.t1110
    - attack.t1557
logsource:
    product: cisco
    service: bgp
    definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
    keywords_bgp_cisco:
        '|all':
            - ':179' # Protocol
            - 'IP-TCP-3-BADAUTH'
    condition: keywords_bgp_cisco
falsepositives:
    - Unlikely. Except due to misconfigurations
level: low