Detectionlowtest

Huawei BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim BrownCreated Mon Jan 09Updated Mon Jan 23a557ffe6-ac54-43d2-ae69-158027082350network

Log Source

huaweibgp

Producthuawei← raw: huawei

Servicebgp← raw: bgp

Definition

Requirements: huawei bgp logs need to be enabled and ingested

Detection Logic

detection:
    keywords_bgp_huawei:
        '|all':
            - ':179' # Protocol
            - 'BGP_AUTH_FAILED'
    condition: keywords_bgp_huawei

False Positives

Unlikely. Except due to misconfigurations

References

Resolving title…

blackhat.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access TA0003 · Persistence TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0006 · Credential Access TA0009 · Collection

Techniques

T1078 · Valid Accounts T1110 · Brute Force T1557 · Adversary-in-the-Middle

Rule Metadata

Rule ID

a557ffe6-ac54-43d2-ae69-158027082350

Status

test

Level

low

Type

Detection

Created

Mon Jan 09

Modified

Mon Jan 23

Author

Tim Brown

Path

rules/network/huawei/bgp/huawei_bgp_auth_failed.yml

Raw Tags

attack.initial-accessattack.persistenceattack.privilege-escalationattack.defense-evasionattack.credential-accessattack.collectionattack.t1078attack.t1110attack.t1557

View on GitHub