Detectionlowtest

Cisco BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim BrownCreated Mon Jan 09Updated Mon Jan 2356fa3cd6-f8d6-4520-a8c7-607292971886network

Log Source

Ciscobgp

ProductCisco← raw: cisco

Servicebgp← raw: bgp

Definition

Requirements: cisco bgp logs need to be enabled and ingested

Detection Logic

detection:
    keywords_bgp_cisco:
        '|all':
            - ':179' # Protocol
            - 'IP-TCP-3-BADAUTH'
    condition: keywords_bgp_cisco

False Positives

Unlikely. Except due to misconfigurations

References

Resolving title…

blackhat.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access TA0003 · Persistence TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0006 · Credential Access TA0009 · Collection

Techniques

T1078 · Valid Accounts T1110 · Brute Force T1557 · Adversary-in-the-Middle

Rule Metadata

Rule ID

56fa3cd6-f8d6-4520-a8c7-607292971886

Status

test

Level

low

Type

Detection

Created

Mon Jan 09

Modified

Mon Jan 23

Author

Tim Brown

Path

rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml

Raw Tags

attack.initial-accessattack.persistenceattack.privilege-escalationattack.defense-evasionattack.credential-accessattack.collectionattack.t1078attack.t1110attack.t1557

View on GitHub