← Library
sigmaDRL-1.1from SigmaHQ/sigma

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1078T1110T1557
Rule sourcerules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml
title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.credential-access
    - attack.collection
    - attack.t1078
    - attack.t1110
    - attack.t1557
logsource:
    product: cisco
    service: ldp
    definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
    selection_protocol:
        - 'LDP'
    selection_keywords:
        - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
        - 'TCPMD5AuthenFail'
    condition: selection_protocol and selection_keywords
falsepositives:
    - Unlikely. Except due to misconfigurations
level: low