Nick Moore
0312c481d9
When a Sigma rule writer wants to create a list of values where all of them must be matched for the rule to trigger, the approach used previously was to have an `all of` condition for a single selector. However, this has now changed, and the new approach is to use an empty key and the |all modifier (i.e., `'|all'`). This commit (tries to) identify all the rules that used the old approach and modifies them to use the new approach instead. See SigmaHQ/sigma-specification#53 for further discussion.
35 lines
983 B
YAML
35 lines
983 B
YAML
title: Juniper BGP Missing MD5
|
|
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
|
|
status: experimental
|
|
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
|
|
references:
|
|
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
|
|
author: Tim Brown
|
|
date: 2023/01/09
|
|
modified: 2023/01/23
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.credential_access
|
|
- attack.collection
|
|
- attack.t1078
|
|
- attack.t1110
|
|
- attack.t1557
|
|
logsource:
|
|
product: juniper
|
|
service: bgp
|
|
definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
|
|
detection:
|
|
keywords_bgp_juniper:
|
|
'|all':
|
|
- ':179' # Protocol
|
|
- 'missing MD5 digest'
|
|
condition: keywords_bgp_juniper
|
|
fields:
|
|
- host
|
|
falsepositives:
|
|
- Unlikely. Except due to misconfigurations
|
|
level: low
|