[Bro] Modifying the Fox-IT Meterpreter script to raise a notice

Mike Dopheide dopheide at gmail.com
Tue Aug 11 17:08:05 PDT 2015


Yes, it's a trade off.  I generally prefer the one notice/alert to start an
investigation into everything the attacking IP was doing.

On Tuesday, August 11, 2015, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:

> The identifier is used for notice suppression correct? If I'm reading
> this correctly won't this suppress any further notices of this type that
> have the same combination of src ip and dst ip for the default
> suppression interval? Wouldn't this potentially result in missing
> additional payloads?
>
> On 8/11/2015 6:26 PM, Gary Faulkner wrote:
> > Good pointer. I had gotten a couple hits already, and noticed the notice
> > line had a few empty fields, but hadn't looked into it further yet. I'll
> > give that a shot.
> >
> > On 8/11/2015 5:44 PM, Mike Dopheide wrote:
> >> I did something similar, but my Notice code looks like this to help
> >> populate the other fields.  I haven't gotten around to doing a
> production
> >> test yet.
> >>
> >>
> >>   NOTICE([$note=FoxIT::Meterpreter,
> >>                        $msg=fmt("%DT: Possible Meterpreter Payload
> >> transfered! %s:%s -> %s:%s",
> >>                c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> >> c$id$orig_p),
> >>                                 $conn=c,
> >>                                 $src=c$id$orig_h,
> >>                                 $dst=c$id$resp_h,
> >>
>  $identifier=cat(c$id$resp_h,c$id$orig_h)]);
> >>
> >> On Tue, Aug 11, 2015 at 5:39 PM, Gary Faulkner <gfaulkner.nsm at gmail.com
> <javascript:;>>
> >> wrote:
> >>
> >>> Fox-IT shared a script after Bro Con that looks for evidence of
> >>> meterpreter payloads being downloaded, but it prints the results, which
> >>> should work fine with pcaps, but doesn't seem useful for running on
> live
> >>> traffic. To run this against live traffic it seems like it would be
> >>> preferable to raise a notice instead. What I was thinking was something
> >>> such as below, but I'm not sure if I'm missing any pieces, or if I'm
> >>> even thinking this through correctly. Will this work? Is it likely to
> be
> >>> cluster safe?
> >>>
> >>> Modified code is below:
> >>>
> >>> module Meterpreter;
> >>>
> >>> export {
> >>>      #Add new notice type for Meterpreter
> >>>      redef enum Notice::Type += {
> >>>          Meterpreter_Seen,
> >>>      };
> >>>      redef record connection += {
> >>>          meterpreter_payload_size: count &optional;
> >>>      };
> >>> }
> >>>
> >>> event tcp_packet(c: connection, is_orig: bool, flags: string,
> >>>                   seq: count, ack: count, len: count, payload: string)
> >>> {
> >>>      if(|payload| == 4 && seq == 1)
> >>>          {
> >>>          c$meterpreter_payload_size = bytestring_to_count(payload, T);
> >>>          }
> >>>      else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
> >>> && ack > 5)
> >>>          {
> >>>          if (c$meterpreter_payload_size == ack-5)
> >>>              {
> >>>              #Raise a notice if we think we've seen a payload
> >>>              NOTICE([$note=Meterpreter_Seen,
> >>>              $msg=fmt("%DT: Possible Meterpreter Payload transfered!
> >>> %s:%s -> %s:%s",
> >>>              c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> >>> c$id$orig_p)]);
> >>>              }
> >>>          }
> >>> }
> >>>
> >>>
> >>> The original code is here:
> >>>
> >>> https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro
> >>>
> >>> ## meterpreter.bro
> >>> ##
> >>> ## Bro-IDS policy to detect Metasploit's meterpreter payload transfer
> >>> ## Note that it does not detect payload transfers over SSL
> >>> ##
> >>> ## Fox-IT
> >>> ## Security Research Team
> >>> ##
> >>> ## https://github.com/fox-it/bro-scripts
> >>>
> >>> export {
> >>>      redef record connection += {
> >>>          meterpreter_payload_size: count &optional;
> >>>      };
> >>> }
> >>>
> >>> event tcp_packet(c: connection, is_orig: bool, flags: string,
> >>>                   seq: count, ack: count, len: count, payload: string)
> >>> {
> >>>      if(|payload| == 4 && seq == 1)
> >>>          {
> >>>          c$meterpreter_payload_size = bytestring_to_count(payload, T);
> >>>          }
> >>>      else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP"
> >>> && ack > 5)
> >>>          {
> >>>          if (c$meterpreter_payload_size == ack-5)
> >>>              {
> >>>              print( fmt("%DT: Possible Meterpreter Payload transfered!
> >>> %s:%s -> %s:%s",
> >>>                 c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h,
> >>> c$id$orig_p));
> >>>              }
> >>>          }
> >>> }
> >>>
> >>>
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org <javascript:;>
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150811/c50ae184/attachment.html 


More information about the Bro mailing list