I'm currently working on Snort and I'm trying to detect meterpreter sessions in reverse TCP or HTTPS, a Trojan ...
Does anyone know snort rules in order to detect this? Despite my research, I found nothing conclusive.
Asked
Active
Viewed 264 times
1
-
Snort cannot detect the *trojan*, but it can detect the *traffic*. Since you want to detect it in both reverse TCP *and* HTTPS, you need a method to detect the specific signature of Meterpreter. Once you narrow down your question to that, your search term becomes clearer (and with available answers): https://security.stackexchange.com/questions/130033/snort-rules-to-detect-meterpreter-sessions – schroeder Jul 24 '19 at 08:34
-
1Thank you very much for your answer. Finally with luck i found what i was looking for: https://fr.slideshare.net/SalvatoreLentini4/ids-passive-defense-of-the-network otherwise I had already visited the link you posted, I tried the rule but it did not work – Jérémy Papin Jul 24 '19 at 11:22
-
1For people who are interessed by the rule for reverse tcp: alert tcp any any -> any any ("msg: reverse tcp has been detected"; content:"|4d 5a e8 00 00 00 00 5b 52 45|"; classtype: trojan-activity; rev:1; sid:XXXXXX;) the content is made from some hexadecimal values of the payload see https://fr.slideshare.net/SalvatoreLentini4/ids-passive-defense-of-the-network – Jérémy Papin Jul 24 '19 at 12:24