[Bro] Modifying the Fox-IT Meterpreter script to raise a notice
Gary Faulkner
gfaulkner.nsm at gmail.com
Tue Aug 11 16:59:45 PDT 2015
The identifier is used for notice suppression correct? If I'm reading
this correctly won't this suppress any further notices of this type that
have the same combination of src ip and dst ip for the default
suppression interval? Wouldn't this potentially result in missing
additional payloads?
On 8/11/2015 6:26 PM, Gary Faulkner wrote:
> Good pointer. I had gotten a couple hits already, and noticed the notice
> line had a few empty fields, but hadn't looked into it further yet. I'll
> give that a shot.
>
> On 8/11/2015 5:44 PM, Mike Dopheide wrote:
>> I did something similar, but my Notice code looks like this to help
>> populate the other fields. I haven't gotten around to doing a production
>> test yet.
>>
>>
>> NOTICE([$note=FoxIT::Meterpreter,
>> $msg=fmt("%DT: Possible Meterpreter Payload
>> transfered! %s:%s -> %s:%s",
>> c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
>> c$id$orig_p),
>> $conn=c,
>> $src=c$id$orig_h,
>> $dst=c$id$resp_h,
>> $identifier=cat(c$id$resp_h,c$id$orig_h)]);
>>
>> On Tue, Aug 11, 2015 at 5:39 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
>> wrote:
>>
>>> Fox-IT shared a script after Bro Con that looks for evidence of
>>> meterpreter payloads being downloaded, but it prints the results, which
>>> should work fine with pcaps, but doesn't seem useful for running on live
>>> traffic. To run this against live traffic it seems like it would be
>>> preferable to raise a notice instead. What I was thinking was something
>>> such as below, but I'm not sure if I'm missing any pieces, or if I'm
>>> even thinking this through correctly. Will this work? Is it likely to be
>>> cluster safe?
>>>
>>> Modified code is below:
>>>
>>> module Meterpreter;
>>>
>>> export {
>>> #Add new notice type for Meterpreter
>>> redef enum Notice::Type += {
>>> Meterpreter_Seen,
>>> };
>>> redef record connection += {
>>> meterpreter_payload_size: count &optional;
>>> };
>>> }
>>>
>>> event tcp_packet(c: connection, is_orig: bool, flags: string,
>>> seq: count, ack: count, len: count, payload: string)
>>> {
>>> if(|payload| == 4 && seq == 1)
>>> {
>>> c$meterpreter_payload_size = bytestring_to_count(payload, T);
>>> }
>>> else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
>>> && ack > 5)
>>> {
>>> if (c$meterpreter_payload_size == ack-5)
>>> {
>>> #Raise a notice if we think we've seen a payload
>>> NOTICE([$note=Meterpreter_Seen,
>>> $msg=fmt("%DT: Possible Meterpreter Payload transfered!
>>> %s:%s -> %s:%s",
>>> c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
>>> c$id$orig_p)]);
>>> }
>>> }
>>> }
>>>
>>>
>>> The original code is here:
>>>
>>> https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro
>>>
>>> ## meterpreter.bro
>>> ##
>>> ## Bro-IDS policy to detect Metasploit's meterpreter payload transfer
>>> ## Note that it does not detect payload transfers over SSL
>>> ##
>>> ## Fox-IT
>>> ## Security Research Team
>>> ##
>>> ## https://github.com/fox-it/bro-scripts
>>>
>>> export {
>>> redef record connection += {
>>> meterpreter_payload_size: count &optional;
>>> };
>>> }
>>>
>>> event tcp_packet(c: connection, is_orig: bool, flags: string,
>>> seq: count, ack: count, len: count, payload: string)
>>> {
>>> if(|payload| == 4 && seq == 1)
>>> {
>>> c$meterpreter_payload_size = bytestring_to_count(payload, T);
>>> }
>>> else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
>>> && ack > 5)
>>> {
>>> if (c$meterpreter_payload_size == ack-5)
>>> {
>>> print( fmt("%DT: Possible Meterpreter Payload transfered!
>>> %s:%s -> %s:%s",
>>> c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
>>> c$id$orig_p));
>>> }
>>> }
>>> }
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
More information about the Bro
mailing list