[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    [Bleeding-sigs] Radmin Sigs
From:       Matt Jonkman <jonkman () bleedingthreats ! net>
Date:       2007-03-13 18:52:22
Message-ID: 45F6F2E6.20102 () bleedingthreats ! net
[Download RAW message or body]

Have some sigs to cover Radmin setups and auth.

Kinda strange how it seems to work. It makes an initial connection that
must be to share capabilities. Then a second session to challenge and auth.

Pretty widely used too, but it's also been used here and there by
trojans as a backdoor. Thought these would be valuable.

If you're running radmin please test these and let me know how well they
work among other versions of the software:

alert tcp any any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Setup Initiate"; flow:established
,to_server; content:"|01 00 00 00 01 00 00 00 08 08|";
flowbit:set,BE.Radmin.Challenge; classtype:not-suspicious;
reference:url,www.
radmin.com; sid:2003479; rev:1;)
alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Setup Response"; flowbit:isset,BE
.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01
00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|";
 flowbits:noalert; classtype:not-suspicious;
reference:url,www.radmin.com; sid:2003480; rev:1;)
alert tcp any any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Authentication Initiate"; flow:es
tablished,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27
02 00 00 00|"; flowbit:set,BE.Radmin.Auth.Challenge; classty
pe:not-suspicious; reference:url,www.radmin.com; sid:2003481; rev:1;)
alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY
Radmin Remote Control Session Authentication Response"; flowbit
:isset,BE.Radmin.Auth.Challenge; flow:established,from_server;
dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; flo
wbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com;
sid:2003482; rev:1;)


-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic