VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
| Id | 840b050f-842b-4264-8973-d4f9b65facb5 |
| Rulename | VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure |
| Description | The VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check. Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface. RPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system. An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes. This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1498 |
| Required data connectors | VMwareSDWAN |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-rpfcheck.yaml |
| Version | 1.0.0 |
| Arm template | 840b050f-842b-4264-8973-d4f9b65facb5.json |
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "Reverse path forwarding check fail"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
TimeGenerated,
EdgeFwAction,
EdgeName,
SrcIpAddress,
IpProtocol,
DstIpAddress,
pcktCount,
SyslogTag
tactics:
- Impact
triggerOperator: gt
queryPeriod: 1h
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
id: 840b050f-842b-4264-8973-d4f9b65facb5
relevantTechniques:
- T1498
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
suppressionEnabled: false
kind: Scheduled
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SrcIpAddress
entityType: IP
query: |+
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "Reverse path forwarding check fail"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
TimeGenerated,
EdgeFwAction,
EdgeName,
SrcIpAddress,
IpProtocol,
DstIpAddress,
pcktCount,
SyslogTag
customDetails:
Edge_Name: EdgeName
name: VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
version: 1.0.0
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-rpfcheck.yaml
severity: Low
incidentConfiguration:
groupingConfiguration:
enabled: true
groupByEntities: []
lookbackDuration: 1h
groupByAlertDetails: []
matchingMethod: AllEntities
reopenClosedIncident: false
groupByCustomDetails: []
createIncident: true
description: |-
The VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check.
Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface.
RPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system.
An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.
This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.