From e109f59372ce0cfe9d1ff631d26981a8729dcd68 Mon Sep 17 00:00:00 2001 From: Daniel Beneyto Date: Fri, 29 Sep 2023 10:21:46 +0200 Subject: [PATCH] Added bgp-detect template --- network/detection/bgp-detect.yaml | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 network/detection/bgp-detect.yaml diff --git a/network/detection/bgp-detect.yaml b/network/detection/bgp-detect.yaml new file mode 100644 index 0000000000..d6d7952492 --- /dev/null +++ b/network/detection/bgp-detect.yaml @@ -0,0 +1,44 @@ +id: bgp-detect + +info: + name: BGP Detection + author: danfaizer + severity: info + tags: network,bgp,detect + description: | + The remote host is running BGP, a popular routing protocol. This indicates that the remote host is probably a network router. + impact: | + Following best practices, BGP services should only be accessible to participating BGP neighbors to prevent potential attacks. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 + reference: + - https://www.acunetix.com/vulnerabilities/network/vulnerability/bgp-detection/ + - https://www.tenable.com/plugins/nessus/11907 + +tcp: + - inputs: + - data: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF001D010400FFFF0000B4C0 + # Source: https://www.rfc-editor.org/rfc/rfc4271.html#section-4.2 + # FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF represents the 16-byte marker field. + # 001D is the total length of the BGP message, including the 19 bytes of the header and the optional parameters. + # 01 is the BGP message type, which is OPEN (1). + # 04 represents the BGP version, which is BGP-4. + # FFFF represents the Autonomous System Number (ASN) in hexadecimal format. + # 0000 represents the Hold Time. + # B4C0 represents the BGP Identifier, usually an IP address in hexadecimal format. + type: hex + name: resp + + host: + - "{{Hostname}}" + - "{{Host}}:179" + + read-size: 16 + + matchers: + - type: word + encoding: hex + words: + - "ffffffffffffffffffffffffffffffff"