LoFP / unlikely. except due to misconfigurations

Techniques

• t1078
• t1110
• t1557

Sample rules

Juniper BGP Missing MD5

• source: sigma
• technicques:
  • t1078
  • t1110
  • t1557

Description

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Detection logic

condition: keywords_bgp_juniper
keywords_bgp_juniper:
  '|all':
  - :179
  - missing MD5 digest

Cisco BGP Authentication Failures

• source: sigma
• technicques:
  • t1078
  • t1110
  • t1557

Description

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Detection logic

condition: keywords_bgp_cisco
keywords_bgp_cisco:
  '|all':
  - :179
  - IP-TCP-3-BADAUTH

Cisco LDP Authentication Failures

• source: sigma
• technicques:
  • t1078
  • t1110
  • t1557

Description

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Detection logic

condition: selection_protocol and selection_keywords
selection_keywords:
- SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL
- TCPMD5AuthenFail
selection_protocol:
- LDP

Huawei BGP Authentication Failures

• source: sigma
• technicques:
  • t1078
  • t1110
  • t1557

Description

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Detection logic

condition: keywords_bgp_huawei
keywords_bgp_huawei:
  '|all':
  - :179
  - BGP_AUTH_FAILED