Cisco Network Config Credentials
Detects credentials and sensitive configuration directives in Cisco IOS/NX-OS configuration files, including enable passwords/secrets, SNMP community strings with write access, PAC keys, and NVRAM/LDAP authentication indicators. Mirrors Snaffler rule KeepNetConfigCreds.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the combination of Cisco-specific IOS directives (enable secret, snmp-server community RW, pac key) with network infrastructure corroborative keywords (hostname, interface, ip route) makes false positives extremely unlikely outside genuine Cisco configuration files.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials, network infrastructure, security
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
enable\s+(?:password|secret)\s+\SCorroborative evidence keywords
service password-encryption, hostname, interface, ip route, version 1, no ip domain-lookup, spanning-tree
Proximity: 300 characters
Should match
hostname CORE-SW1 enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 service password-encryption— Cisco IOS enable secret with MD5 hash and hostname contextsnmp-server community S3cr3tStr RW snmp-server community public RO— SNMP community string with RW (write) access privilegesnmp-server community private view ALL RW— SNMP community string with intermediate view token before RW (Snaffler parity)pac key 7 045802150C2E1D1C5A ip route 0.0.0.0 0.0.0.0 192.168.1.1— PAC key with obfuscation type 7 in routing contextNVRAM config last updated 09:14:23 UTC Mon Jun 10 2024 hostname ROUTER-01— NVRAM config last updated marker with hostnamesimple-bind authenticated encrypt ldap-server host 10.1.1.50— LDAP simple-bind encrypted authentication directive
Should not match
the network device must have an enable-secret configured per the security policy— Prose mention of enable-secret requirement without an actual IOS directive (hyphenated, no space before value)the snmp-server community string should be changed from the default RW setting— Documentation prose about SNMP without a live community string value
Known false positives
- Sanitised configuration exports or documentation samples that include IOS syntax without live credential values. Mitigation: Require proximity to corroborative network keywords (hostname, interface, ip route) to confirm genuine Cisco config context. Template exclusion catches placeholder markers.
- Security hardening guides or audit checklists that quote Cisco commands as examples. Mitigation: The regex requires a non-whitespace character immediately after the enable password/secret keyword, ensuring a value is actually present.