Techniques
Sample rules
Network Sniffing - Linux
- source: sigma
- technicques:
- t1040
Description
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Detection logic
condition: 1 of selection_*
selection_1:
a0: tcpdump
a1: -c
a3|contains: -i
type: execve
selection_2:
a0: tshark
a1: -c
a3: -i
type: execve