[Bro] Modifying the Fox-IT Meterpreter script to raise a notice

Mike Dopheide dopheide at gmail.com
Tue Aug 11 15:44:11 PDT 2015


I did something similar, but my Notice code looks like this to help
populate the other fields.  I haven't gotten around to doing a production
test yet.


  NOTICE([$note=FoxIT::Meterpreter,
                       $msg=fmt("%DT: Possible Meterpreter Payload
transfered! %s:%s -> %s:%s",
               c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
c$id$orig_p),
                                $conn=c,
                                $src=c$id$orig_h,
                                $dst=c$id$resp_h,
                                $identifier=cat(c$id$resp_h,c$id$orig_h)]);

On Tue, Aug 11, 2015 at 5:39 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
wrote:

> Fox-IT shared a script after Bro Con that looks for evidence of
> meterpreter payloads being downloaded, but it prints the results, which
> should work fine with pcaps, but doesn't seem useful for running on live
> traffic. To run this against live traffic it seems like it would be
> preferable to raise a notice instead. What I was thinking was something
> such as below, but I'm not sure if I'm missing any pieces, or if I'm
> even thinking this through correctly. Will this work? Is it likely to be
> cluster safe?
>
> Modified code is below:
>
> module Meterpreter;
>
> export {
>      #Add new notice type for Meterpreter
>      redef enum Notice::Type += {
>          Meterpreter_Seen,
>      };
>      redef record connection += {
>          meterpreter_payload_size: count &optional;
>      };
> }
>
> event tcp_packet(c: connection, is_orig: bool, flags: string,
>                   seq: count, ack: count, len: count, payload: string)
> {
>      if(|payload| == 4 && seq == 1)
>          {
>          c$meterpreter_payload_size = bytestring_to_count(payload, T);
>          }
>      else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
> && ack > 5)
>          {
>          if (c$meterpreter_payload_size == ack-5)
>              {
>              #Raise a notice if we think we've seen a payload
>              NOTICE([$note=Meterpreter_Seen,
>              $msg=fmt("%DT: Possible Meterpreter Payload transfered!
> %s:%s -> %s:%s",
>              c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> c$id$orig_p)]);
>              }
>          }
> }
>
>
> The original code is here:
>
> https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro
>
> ## meterpreter.bro
> ##
> ## Bro-IDS policy to detect Metasploit's meterpreter payload transfer
> ## Note that it does not detect payload transfers over SSL
> ##
> ## Fox-IT
> ## Security Research Team
> ##
> ## https://github.com/fox-it/bro-scripts
>
> export {
>      redef record connection += {
>          meterpreter_payload_size: count &optional;
>      };
> }
>
> event tcp_packet(c: connection, is_orig: bool, flags: string,
>                   seq: count, ack: count, len: count, payload: string)
> {
>      if(|payload| == 4 && seq == 1)
>          {
>          c$meterpreter_payload_size = bytestring_to_count(payload, T);
>          }
>      else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
> && ack > 5)
>          {
>          if (c$meterpreter_payload_size == ack-5)
>              {
>              print( fmt("%DT: Possible Meterpreter Payload transfered!
> %s:%s -> %s:%s",
>                 c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> c$id$orig_p));
>              }
>          }
> }
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150811/b1ea2c58/attachment.html 


More information about the Bro mailing list