id: bgp-detect

info:
  name: BGP Detection
  author: danfaizer
  severity: info
  description: |
    The remote host is running BGP, a popular routing protocol. This indicates that the remote host is probably a network router.
  reference:
    - https://www.acunetix.com/vulnerabilities/network/vulnerability/bgp-detection/
    - https://www.tenable.com/plugins/nessus/11907
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
    max-request: 1
    shodan-query: product:"BGP"
  tags: network,bgp,detect

tcp:
  - inputs:
      - data: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF001D010400FFFF0000B4C0
        type: hex
        # Source: https://www.rfc-editor.org/rfc/rfc4271.html#section-4.2
        # FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF represents the 16-byte marker field.
        # 001D is the total length of the BGP message, including the 19 bytes of the header and the optional parameters.
        # 01 is the BGP message type, which is OPEN (1).
        # 04 represents the BGP version, which is BGP-4.
        # FFFF represents the Autonomous System Number (ASN) in hexadecimal format.
        # 0000 represents the Hold Time.
        # B4C0 represents the BGP Identifier, usually an IP address in hexadecimal format.

    host:
      - "{{Hostname}}"
    port: 179

    read-size: 16
    matchers:
      - type: word
        encoding: hex
        words:
          - "ffffffffffffffffffffffffffffffff"
# digest: 4b0a00483046022100b955c909287395bbf15e656c390f450515711fd117d0fc16e4203eb87bf7897a022100f5c63043f11463a59d307b0f5e0741f7ec3b1f0060adcfd4241364da868bcac6:922c64590222798bb761d5b6d8e72950