Detectionmediumtest

Cisco Sniffing

Show when a monitor or a span/rspan is setup or modified

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Austin ClarkCreated Sun Aug 11Updated Wed Jan 04b9e1f193-d236-4451-aaae-2f3d2102120dnetwork

Log Source

Ciscoaaa

ProductCisco← raw: cisco

Serviceaaa← raw: aaa

Detection Logic

detection:
    keywords:
        - 'monitor capture point'
        - 'set span'
        - 'set rspan'
    condition: keywords

False Positives

Admins may setup new or modify old spans, or use a monitor for troubleshooting

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

b9e1f193-d236-4451-aaae-2f3d2102120d

Status

test

Level

medium

Type

Detection

Created

Sun Aug 11

Modified

Wed Jan 04

Author

Path

rules/network/cisco/aaa/cisco_cli_net_sniff.yml

Raw Tags

attack.credential-accessattack.discoveryattack.t1040