8

I am learning while configuring Snort, my setup consists in an attacker (Linux), a victim (Android smartphone) and one detection system (IDS). So far, I have been able to log all the packets between the attacker and victim including the Meterpreter session. What should I do/research about if I want to detect the Meterpreter session? A little bit of packet analysis gave me a hex value for the stager. The payload used is android/meterpreter/reverse_tcp.

I want to make a rule file for detecting a Meterpreter session between those two devices. How should I proceed? It would really be helpful if someone points me in the right direction. Thanks!

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
Mahip
  • 81
  • 1
  • 4
  • There are already snort rules to detect meterpreter sessions: https://rules.emergingthreats.net/open/ – Glenn Mar 21 '17 at 01:15
  • This gives neither an explanation who such rules can be written nor points to specific rules which detect meterpreter which can be used as example but only to a directory with lots of snort rules, most of them unrelated to the question. Insofar it does not answer the question. – Steffen Ullrich Mar 21 '17 at 06:11

2 Answers2

3

I know this is an old question, but searching I found this interesting post. There are the hints you need. Extracted from there

You can do as Snort rule to detect Meterpreter sessions for external connections. I mean, reverse Meterpreter shells trying to connect to outside. Doing this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Metasploit Meterpreter"; flow:to_server,established; content:"RECV"; http_client_body; depth:4; fast_pattern; isdataat:!0,relative; urilen:23<>24,norm; content:"POST"; pcre:"/^\/[a-z0-9]{4,5}_[a-z0-9]{16}\/$/Ui"; classtype:trojan-activity; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/; sid:1618008; rev:1;)

For other kind of scenario changes should be done on the rule, but is a beginning.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • Yes, I had seen this post earlier. I created a small setup with a laptop as router(hotspot), an android phone as the victim and a laptop with kali linux as my attacker trying to get access into the mobile. Then , I created a captive portal from the laptop(router) where any client(s) connected to my access point had to register first. After registering, they have to select the sites they want to visit. Once I had the site's names, I wrote a shell script to ping the sites and update the Snort rules to allow all those communications and block anything more than that. Basically a firewall. – Mahip Mar 29 '17 at 06:14
1

I would check emerging threat's rules.

https://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules

Search for Meterpreter and you can see at least 50 different examples of sigs that detect Meterpreter in various different stages and variations of the attack.

MikeSchem
  • 2,266
  • 1
  • 13
  • 33