#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:5;)

Added 2017-04-20 17:48:41 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:5;)

Added 2014-06-05 10:23:21 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:4;)

Added 2011-10-12 19:13:33 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; sid:2003480; rev:4;)

Added 2011-09-14 22:26:32 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003480; rev:4;)

Added 2011-02-04 17:22:30 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003480; rev:4;)

Added 2009-02-11 19:15:23 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003480; rev:4;)

Added 2009-02-11 19:15:23 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003480; rev:3;)

Added 2008-05-18 19:52:12 UTC


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003480; rev:3;)

Added 2008-05-18 19:52:12 UTC


alert tcp $HOME_NET 1024:65535 -> any any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003480; rev:2;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET 1024:65535 -> any any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003480; rev:2;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003480; rev:1;)

Added 2007-03-13 15:12:38 UTC

This is a legitimate commercial (and rather good) remote admin tool. It's been used by a few trojans as a remote control device though. Verify it's supposed to be running where you see it.

-- MattJonkman - 15 Mar 2007


Topic revision: r2 - 2007-03-15 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats