Modifying the Fox-IT Meterpreter script to raise a notice

Gary_Faulkner1 · August 11, 2015, 10:39pm

Fox-IT shared a script after Bro Con that looks for evidence of meterpreter payloads being downloaded, but it prints the results, which should work fine with pcaps, but doesn't seem useful for running on live traffic. To run this against live traffic it seems like it would be preferable to raise a notice instead. What I was thinking was something such as below, but I'm not sure if I'm missing any pieces, or if I'm even thinking this through correctly. Will this work? Is it likely to be cluster safe?

Modified code is below:

module Meterpreter;

export {
     #Add new notice type for Meterpreter
     redef enum Notice::Type += {
         Meterpreter_Seen,
     };
     redef record connection += {
         meterpreter_payload_size: count &optional;
     };
}

event tcp_packet(c: connection, is_orig: bool, flags: string,
                  seq: count, ack: count, len: count, payload: string)
{
     if(|payload| == 4 && seq == 1)
         {
         c$meterpreter_payload_size = bytestring_to_count(payload, T);
         }
     else if (c?$meterpreter_payload_size && seq == 1 && flags == "AP" && ack > 5)
         {
         if (c$meterpreter_payload_size == ack-5)
             {
             #Raise a notice if we think we've seen a payload
             NOTICE([$note=Meterpreter_Seen,
             $msg=fmt("%DT: Possible Meterpreter Payload transfered! %s:%s -> %s:%s",
             c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h, c$id$orig_p)]);
             }
         }
}

The original code is here:

https://github.com/fox-it/bro-scripts/blob/master/meterpreter.bro

## meterpreter.bro

dopheide · August 11, 2015, 10:44pm

I did something similar, but my Notice code looks like this to help populate the other fields. I haven’t gotten around to doing a production test yet.

NOTICE([$note=FoxIT::Meterpreter,
$msg=fmt("%DT: Possible Meterpreter Payload transfered! %s:%s → %s:%s",
c$start_time, c$id$resp_h, c$id$resp_p, c$id$orig_h, c$id$orig_p),
$conn=c,
$src=c$id$orig_h,
$dst=c$id$resp_h,
$identifier=cat(c$id$resp_h,c$id$orig_h)]);

Gary_Faulkner1 · August 11, 2015, 11:26pm

Good pointer. I had gotten a couple hits already, and noticed the notice
line had a few empty fields, but hadn't looked into it further yet. I'll
give that a shot.

Gary_Faulkner1 · August 11, 2015, 11:59pm

The identifier is used for notice suppression correct? If I'm reading
this correctly won't this suppress any further notices of this type that
have the same combination of src ip and dst ip for the default
suppression interval? Wouldn't this potentially result in missing
additional payloads?

dopheide · August 12, 2015, 12:08am

Yes, it’s a trade off. I generally prefer the one notice/alert to start an investigation into everything the attacking IP was doing.

Gary_Faulkner1 · August 12, 2015, 2:40pm

If any one is curious, the modified script I ended up with after incorporating Mike's suggestions is below. In the 14 hours or so I've been running it against production traffic I've already seen several hits. At least one of those hosts has multiple hits every few hours and appears to need further investigation, while another looks like it may be a false positive triggering on what appears to be a stock checking/trading app that connects to HDS3.ninjatrader.com on port 31654.

## meterpreter.bro

Topic		Replies	Views
(no subject) Zeek	1	76	May 6, 2022
script working from cmd line but not from local.bro Zeek	6	72	May 6, 2022
SSH brute-force email notice Zeek	11	67	May 6, 2022
Debugging Bro Scripts Where action = Notice::ACTION_EMAIL Zeek	9	72	May 6, 2022
Intel alerts not showing up in the notice log Zeek	2	96	May 6, 2022

Modifying the Fox-IT Meterpreter script to raise a notice

Related Topics