[Bro] Modifying the Fox-IT Meterpreter script to raise a notice

Gary Faulkner gfaulkner.nsm at gmail.com
Tue Aug 11 15:39:07 PDT 2015 

Fox-IT shared a script after Bro Con that looks for evidence of 
meterpreter payloads being downloaded, but it prints the results, which 
should work fine with pcaps, but doesn't seem useful for running on live 
traffic. To run this against live traffic it seems like it would be 
preferable to raise a notice instead. What I was thinking was something 
such as below, but I'm not sure if I'm missing any pieces, or if I'm 
even thinking this through correctly. Will this work? Is it likely to be 
cluster safe?

Modified code is below:

module Meterpreter;

export {
     #Add new notice type for Meterpreter
     redef enum Notice::Type += {
         Meterpreter_Seen,
     };
     redef record connection += {
         meterpreter_payload_size: count &optional;
     };
}

event tcp_packet(c: connection, is_orig: bool, flags: string,
                  seq: count, ack: count, len: count, payload: string)
{
     if(|payload| == 4 && seq == 1)
         {
         c$meterpreter_payload_size = bytestring_to_count(payload, T);
         }
     else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP" 
&& ack > 5)
         {
         if (c$meterpreter_payload_size == ack-5)
             {
             #Raise a notice if we think we've seen a payload
             NOTICE([$note=Meterpreter_Seen,
             $msg=fmt("%DT: Possible Meterpreter Payload transfered! 
%s:%s -> %s:%s",
             c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h, 
c$id$orig_p)]);
             }
         }
}


The original code is here:

https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro

## meterpreter.bro
##
## Bro-IDS policy to detect Metasploit's meterpreter payload transfer
## Note that it does not detect payload transfers over SSL
##
## Fox-IT
## Security Research Team
##
## https://github.com/fox-it/bro-scripts

export {
     redef record connection += {
         meterpreter_payload_size: count &optional;
     };
}

event tcp_packet(c: connection, is_orig: bool, flags: string,
                  seq: count, ack: count, len: count, payload: string)
{
     if(|payload| == 4 && seq == 1)
         {
         c$meterpreter_payload_size = bytestring_to_count(payload, T);
         }
     else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP" 
&& ack > 5)
         {
         if (c$meterpreter_payload_size == ack-5)
             {
             print( fmt("%DT: Possible Meterpreter Payload transfered! 
%s:%s -> %s:%s",
                c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h, 
c$id$orig_p));
             }
         }
}

More information about the Bro mailing list