VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
Id | ce207901-ed7b-49ae-ada7-033e1fbb1240 |
Rulename | VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack |
Description | The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch. An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes. Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure. This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used. |
Severity | Low |
Tactics | Impact DefenseEvasion |
Techniques | T1498 T1599 |
Required data connectors | VMwareSDWAN |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml |
Version | 1.0.0 |
Arm template | ce207901-ed7b-49ae-ada7-033e1fbb1240.json |
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "packet too big"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
TimeGenerated,
EdgeFwAction,
EdgeName,
SrcIpAddress,
IpProtocol,
DstIpAddress,
pcktCount,
SyslogTag
relevantTechniques:
- T1498
- T1599
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SrcIpAddress
entityType: IP
queryFrequency: 1h
queryPeriod: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 1h
matchingMethod: AllEntities
enabled: true
groupByCustomDetails: []
groupByAlertDetails: []
groupByEntities: []
reopenClosedIncident: false
createIncident: true
id: ce207901-ed7b-49ae-ada7-033e1fbb1240
query: |+
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "packet too big"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
TimeGenerated,
EdgeFwAction,
EdgeName,
SrcIpAddress,
IpProtocol,
DstIpAddress,
pcktCount,
SyslogTag
customDetails:
Edge_Name: EdgeName
suppressionDuration: 5h
kind: Scheduled
tactics:
- Impact
- DefenseEvasion
severity: Low
name: VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
triggerOperator: gt
description: |-
The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.
An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.
Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.
This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce207901-ed7b-49ae-ada7-033e1fbb1240')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce207901-ed7b-49ae-ada7-033e1fbb1240')]",
"properties": {
"alertRuleTemplateName": "ce207901-ed7b-49ae-ada7-033e1fbb1240",
"customDetails": {
"Edge_Name": "EdgeName"
},
"description": "The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.\n\nAn IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.\n\nAttackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.\n\nThis analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.",
"displayName": "VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml",
"query": "Syslog\n| where SyslogMessage contains \"VCF Drop\"\n| where SyslogMessage contains \"packet too big\"\n| project-rename EdgeName=HostName\n| project-away Computer, HostIP, SourceSystem, Type\n| extend OverlaySegmentName = extract(\"SEGMENT_NAME=(.+) COUNT=\", 1, SyslogMessage)\n| extend IpProtocol = extract(\"PROTO=(.+) SRC=\", 1, SyslogMessage)\n| extend SrcIpAddress = extract(\"SRC=(.+) DST=\", 1, SyslogMessage)\n| extend DstIpAddress = extract(\"DST=(.+) REASON=\", 1, SyslogMessage)\n| extend EdgeFwAction = extract(\"ACTION=(.+) SEGMENT=\", 1, SyslogMessage)\n| extend SyslogTag = extract(\"^(.+): ACTION=\", 1, SyslogMessage)\n| extend pcktCount = extract(\"COUNT=([0-9]+)$\", 1, SyslogMessage)\n| project\n TimeGenerated,\n EdgeFwAction,\n EdgeName,\n SrcIpAddress,\n IpProtocol,\n DstIpAddress,\n pcktCount,\n SyslogTag\n\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1498",
"T1599"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}