Fox-IT shared a script after Bro Con that looks for evidence of meterpreter payloads being downloaded, but it prints the results, which should work fine with pcaps, but doesn't seem useful for running on live traffic. To run this against live traffic it seems like it would be preferable to raise a notice instead. What I was thinking was something such as below, but I'm not sure if I'm missing any pieces, or if I'm even thinking this through correctly. Will this work? Is it likely to be cluster safe?
Modified code is below:
module Meterpreter;
export {
#Add new notice type for Meterpreter
redef enum Notice::Type += {
Meterpreter_Seen,
};
redef record connection += {
meterpreter_payload_size: count &optional;
};
}
event tcp_packet(c: connection, is_orig: bool, flags: string,
seq: count, ack: count, len: count, payload: string)
{
if(|payload| == 4 && seq == 1)
{
c$meterpreter_payload_size = bytestring_to_count(payload, T);
}
else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP" && ack > 5)
{
if (c$meterpreter_payload_size == ack-5)
{
#Raise a notice if we think we've seen a payload
NOTICE([$note=Meterpreter_Seen,
$msg=fmt("%DT: Possible Meterpreter Payload transfered! %s:%s -> %s:%s",
c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h, c$id$orig_p)]);
}
}
}
The original code is here:
https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro
## meterpreter.bro