[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: [Bleeding-sigs] Radmin Sigs
From: Matt Jonkman <jonkman () bleedingthreats ! net>
Date: 2007-03-13 18:52:22
Message-ID: 45F6F2E6.20102 () bleedingthreats ! net
[Download RAW message or body]
Have some sigs to cover Radmin setups and auth.
Kinda strange how it seems to work. It makes an initial connection that
must be to share capabilities. Then a second session to challenge and auth.
Pretty widely used too, but it's also been used here and there by
trojans as a backdoor. Thought these would be valuable.
If you're running radmin please test these and let me know how well they
work among other versions of the software:
alert tcp any any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Setup Initiate"; flow:established
,to_server; content:"|01 00 00 00 01 00 00 00 08 08|";
flowbit:set,BE.Radmin.Challenge; classtype:not-suspicious;
reference:url,www.
radmin.com; sid:2003479; rev:1;)
alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Setup Response"; flowbit:isset,BE
.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01
00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|";
flowbits:noalert; classtype:not-suspicious;
reference:url,www.radmin.com; sid:2003480; rev:1;)
alert tcp any any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Authentication Initiate"; flow:es
tablished,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27
02 00 00 00|"; flowbit:set,BE.Radmin.Auth.Challenge; classty
pe:not-suspicious; reference:url,www.radmin.com; sid:2003481; rev:1;)
alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Authentication Response"; flowbit
:isset,BE.Radmin.Auth.Challenge; flow:established,from_server;
dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; flo
wbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com;
sid:2003482; rev:1;)
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic