LoFP LoFP / this local port value should not appear for normal webui logins. so false positives should very minimal.

Techniques

Sample rules

Cisco IOS XE WebUI Login From IOSd Local Port

Description

This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path.

Detection logic

`cisco_ios`
facility="SEC_LOGIN"
mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED")
message_text="*[localport: 21111]*"

| rex field=_raw "\[user:\s*(?<user>[^\]]+)\]"

| rex field=_raw "\[Source:\s*(?<src_ip>[^\]]+)\]"

| rex field=_raw "\[localport:\s*(?<local_port>[^\]]+)\]"

| rex field=_raw "\[Reason:\s*(?<reason>[^\]]+)\]"

| rex field=_raw "\[ACL:\s*(?<acl>[^\]]+)\]"

| eval dest=coalesce(host, dvc, dest, "unknown")

| stats count min(_time) as firstTime
              max(_time) as lastTime
              values(local_port) as local_port
              values(acl) as acl
  by dest user src_ip reason

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_ios_xe_webui_login_from_iosd_local_port_filter`