[Bro] Modifying the Fox-IT Meterpreter script to raise a notice

Gary Faulkner gfaulkner.nsm at gmail.com
Tue Aug 11 16:26:08 PDT 2015


Good pointer. I had gotten a couple hits already, and noticed the notice
line had a few empty fields, but hadn't looked into it further yet. I'll
give that a shot.

On 8/11/2015 5:44 PM, Mike Dopheide wrote:
> I did something similar, but my Notice code looks like this to help
> populate the other fields.  I haven't gotten around to doing a production
> test yet.
>
>
>   NOTICE([$note=FoxIT::Meterpreter,
>                        $msg=fmt("%DT: Possible Meterpreter Payload
> transfered! %s:%s -> %s:%s",
>                c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> c$id$orig_p),
>                                 $conn=c,
>                                 $src=c$id$orig_h,
>                                 $dst=c$id$resp_h,
>                                 $identifier=cat(c$id$resp_h,c$id$orig_h)]);
>
> On Tue, Aug 11, 2015 at 5:39 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
> wrote:
>
>> Fox-IT shared a script after Bro Con that looks for evidence of
>> meterpreter payloads being downloaded, but it prints the results, which
>> should work fine with pcaps, but doesn't seem useful for running on live
>> traffic. To run this against live traffic it seems like it would be
>> preferable to raise a notice instead. What I was thinking was something
>> such as below, but I'm not sure if I'm missing any pieces, or if I'm
>> even thinking this through correctly. Will this work? Is it likely to be
>> cluster safe?
>>
>> Modified code is below:
>>
>> module Meterpreter;
>>
>> export {
>>      #Add new notice type for Meterpreter
>>      redef enum Notice::Type += {
>>          Meterpreter_Seen,
>>      };
>>      redef record connection += {
>>          meterpreter_payload_size: count &optional;
>>      };
>> }
>>
>> event tcp_packet(c: connection, is_orig: bool, flags: string,
>>                   seq: count, ack: count, len: count, payload: string)
>> {
>>      if(|payload| == 4 && seq == 1)
>>          {
>>          c$meterpreter_payload_size = bytestring_to_count(payload, T);
>>          }
>>      else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
>> && ack > 5)
>>          {
>>          if (c$meterpreter_payload_size == ack-5)
>>              {
>>              #Raise a notice if we think we've seen a payload
>>              NOTICE([$note=Meterpreter_Seen,
>>              $msg=fmt("%DT: Possible Meterpreter Payload transfered!
>> %s:%s -> %s:%s",
>>              c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
>> c$id$orig_p)]);
>>              }
>>          }
>> }
>>
>>
>> The original code is here:
>>
>> https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro
>>
>> ## meterpreter.bro
>> ##
>> ## Bro-IDS policy to detect Metasploit's meterpreter payload transfer
>> ## Note that it does not detect payload transfers over SSL
>> ##
>> ## Fox-IT
>> ## Security Research Team
>> ##
>> ## https://github.com/fox-it/bro-scripts
>>
>> export {
>>      redef record connection += {
>>          meterpreter_payload_size: count &optional;
>>      };
>> }
>>
>> event tcp_packet(c: connection, is_orig: bool, flags: string,
>>                   seq: count, ack: count, len: count, payload: string)
>> {
>>      if(|payload| == 4 && seq == 1)
>>          {
>>          c$meterpreter_payload_size = bytestring_to_count(payload, T);
>>          }
>>      else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
>> && ack > 5)
>>          {
>>          if (c$meterpreter_payload_size == ack-5)
>>              {
>>              print( fmt("%DT: Possible Meterpreter Payload transfered!
>> %s:%s -> %s:%s",
>>                 c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
>> c$id$orig_p));
>>              }
>>          }
>> }
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>



More information about the Bro mailing list