Analytic rule catalog
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
Back
| Id | ce207901-ed7b-49ae-ada7-033e1fbb1240 |
| Rulename | VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack |
| Description | The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch. An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes. Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure. This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used. |
| Severity | Low |
| Tactics | Impact DefenseEvasion |
| Techniques | T1498 T1599 |
| Required data connectors | VMwareSDWAN |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sdwan-ipfrag-attempt.yaml |
| Version | 1.0.0 |
| Arm template | ce207901-ed7b-49ae-ada7-033e1fbb1240.json |
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "packet too big"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
TimeGenerated,
EdgeFwAction,
EdgeName,
SrcIpAddress,
IpProtocol,
DstIpAddress,
pcktCount,
SyslogTag
customDetails:
Edge_Name: EdgeName
queryPeriod: 1h
relevantTechniques:
- T1498
- T1599
description: |-
The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.
An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.
Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.
This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.
eventGroupingSettings:
aggregationKind: SingleAlert
severity: Low
triggerThreshold: 0
query: |+
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "packet too big"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
TimeGenerated,
EdgeFwAction,
EdgeName,
SrcIpAddress,
IpProtocol,
DstIpAddress,
pcktCount,
SyslogTag
entityMappings:
- fieldMappings:
- columnName: SrcIpAddress
identifier: Address
entityType: IP
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sdwan-ipfrag-attempt.yaml
suppressionEnabled: false
queryFrequency: 1h
name: VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
kind: Scheduled
id: ce207901-ed7b-49ae-ada7-033e1fbb1240
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails: []
groupByEntities: []
enabled: true
matchingMethod: AllEntities
groupByAlertDetails: []
reopenClosedIncident: false
lookbackDuration: 1h
createIncident: true
tactics:
- Impact
- DefenseEvasion
suppressionDuration: 5h
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce207901-ed7b-49ae-ada7-033e1fbb1240')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce207901-ed7b-49ae-ada7-033e1fbb1240')]",
"properties": {
"alertRuleTemplateName": "ce207901-ed7b-49ae-ada7-033e1fbb1240",
"customDetails": {
"Edge_Name": "EdgeName"
},
"description": "The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.\n\nAn IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.\n\nAttackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.\n\nThis analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.",
"displayName": "VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sdwan-ipfrag-attempt.yaml",
"query": "Syslog\n| where SyslogMessage contains \"VCF Drop\"\n| where SyslogMessage contains \"packet too big\"\n| project-rename EdgeName=HostName\n| project-away Computer, HostIP, SourceSystem, Type\n| extend OverlaySegmentName = extract(\"SEGMENT_NAME=(.+) COUNT=\", 1, SyslogMessage)\n| extend IpProtocol = extract(\"PROTO=(.+) SRC=\", 1, SyslogMessage)\n| extend SrcIpAddress = extract(\"SRC=(.+) DST=\", 1, SyslogMessage)\n| extend DstIpAddress = extract(\"DST=(.+) REASON=\", 1, SyslogMessage)\n| extend EdgeFwAction = extract(\"ACTION=(.+) SEGMENT=\", 1, SyslogMessage)\n| extend SyslogTag = extract(\"^(.+): ACTION=\", 1, SyslogMessage)\n| extend pcktCount = extract(\"COUNT=([0-9]+)$\", 1, SyslogMessage)\n| project\n TimeGenerated,\n EdgeFwAction,\n EdgeName,\n SrcIpAddress,\n IpProtocol,\n DstIpAddress,\n pcktCount,\n SyslogTag\n\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1498",
"T1599"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}