Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Network Sniffing - Linux

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Timur Zinniatullin, oscd.communityCreated Mon Oct 21Updated Sun Dec 18f4d3748a-65d1-4806-bd23-e25728081d01linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic2 selectors
detection:
    selection_1:
        type: 'execve'
        a0: 'tcpdump'
        a1: '-c'
        a3|contains: '-i'
    selection_2:
        type: 'execve'
        a0: 'tshark'
        a1: '-c'
        a3: '-i'
    condition: 1 of selection_*
False Positives

Legitimate administrator or user uses network sniffing tool for legitimate reasons.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
f4d3748a-65d1-4806-bd23-e25728081d01
Status
test
Level
low
Type
Detection
Created
Mon Oct 21
Modified
Sun Dec 18
Author
Timur Zinniatullin, oscd.community
Path
rules/linux/auditd/execve/lnx_auditd_network_sniffing.yml
Raw Tags
attack.credential-accessattack.discoveryattack.t1040
View on GitHub