Nick Moore
0312c481d9
When a Sigma rule writer wants to create a list of values where all of them must be matched for the rule to trigger, the approach used previously was to have an `all of` condition for a single selector. However, this has now changed, and the new approach is to use an empty key and the |all modifier (i.e., `'|all'`). This commit (tries to) identify all the rules that used the old approach and modifies them to use the new approach instead. See SigmaHQ/sigma-specification#53 for further discussion.
36 lines
980 B
YAML
36 lines
980 B
YAML
title: Huawei BGP Authentication Failures
|
|
id: a557ffe6-ac54-43d2-ae69-158027082350
|
|
status: experimental
|
|
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
|
|
references:
|
|
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
|
|
author: Tim Brown
|
|
date: 2023/01/09
|
|
modified: 2023/01/23
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.credential_access
|
|
- attack.collection
|
|
- attack.t1078
|
|
- attack.t1110
|
|
- attack.t1557
|
|
logsource:
|
|
product: huawei
|
|
service: bgp
|
|
definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
|
|
detection:
|
|
keywords_bgp_huawei:
|
|
'|all':
|
|
- ':179' # Protocol
|
|
- 'BGP_AUTH_FAILED'
|
|
condition: keywords_bgp_huawei
|
|
fields:
|
|
- host
|
|
- PeeId
|
|
falsepositives:
|
|
- Unlikely. Except due to misconfigurations
|
|
level: low
|