[Bro] Modifying the Fox-IT Meterpreter script to raise a notice
Mike Dopheide
dopheide at gmail.com
Tue Aug 11 15:44:11 PDT 2015
I did something similar, but my Notice code looks like this to help
populate the other fields. I haven't gotten around to doing a production
test yet.
NOTICE([$note=FoxIT::Meterpreter,
$msg=fmt("%DT: Possible Meterpreter Payload
transfered! %s:%s -> %s:%s",
c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
c$id$orig_p),
$conn=c,
$src=c$id$orig_h,
$dst=c$id$resp_h,
$identifier=cat(c$id$resp_h,c$id$orig_h)]);
On Tue, Aug 11, 2015 at 5:39 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
wrote:
> Fox-IT shared a script after Bro Con that looks for evidence of
> meterpreter payloads being downloaded, but it prints the results, which
> should work fine with pcaps, but doesn't seem useful for running on live
> traffic. To run this against live traffic it seems like it would be
> preferable to raise a notice instead. What I was thinking was something
> such as below, but I'm not sure if I'm missing any pieces, or if I'm
> even thinking this through correctly. Will this work? Is it likely to be
> cluster safe?
>
> Modified code is below:
>
> module Meterpreter;
>
> export {
> #Add new notice type for Meterpreter
> redef enum Notice::Type += {
> Meterpreter_Seen,
> };
> redef record connection += {
> meterpreter_payload_size: count &optional;
> };
> }
>
> event tcp_packet(c: connection, is_orig: bool, flags: string,
> seq: count, ack: count, len: count, payload: string)
> {
> if(|payload| == 4 && seq == 1)
> {
> c$meterpreter_payload_size = bytestring_to_count(payload, T);
> }
> else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
> && ack > 5)
> {
> if (c$meterpreter_payload_size == ack-5)
> {
> #Raise a notice if we think we've seen a payload
> NOTICE([$note=Meterpreter_Seen,
> $msg=fmt("%DT: Possible Meterpreter Payload transfered!
> %s:%s -> %s:%s",
> c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> c$id$orig_p)]);
> }
> }
> }
>
>
> The original code is here:
>
> https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro
>
> ## meterpreter.bro
> ##
> ## Bro-IDS policy to detect Metasploit's meterpreter payload transfer
> ## Note that it does not detect payload transfers over SSL
> ##
> ## Fox-IT
> ## Security Research Team
> ##
> ## https://github.com/fox-it/bro-scripts
>
> export {
> redef record connection += {
> meterpreter_payload_size: count &optional;
> };
> }
>
> event tcp_packet(c: connection, is_orig: bool, flags: string,
> seq: count, ack: count, len: count, payload: string)
> {
> if(|payload| == 4 && seq == 1)
> {
> c$meterpreter_payload_size = bytestring_to_count(payload, T);
> }
> else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
> && ack > 5)
> {
> if (c$meterpreter_payload_size == ack-5)
> {
> print( fmt("%DT: Possible Meterpreter Payload transfered!
> %s:%s -> %s:%s",
> c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> c$id$orig_p));
> }
> }
> }
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150811/b1ea2c58/attachment.html
More information about the Bro
mailing list