[Emerging-Sigs] famatech/radmin on RBN list?

Michael Scheidell scheidell at secnap.net
Fri Jan 9 16:44:24 EST 2009


owners of the legitimate administration tool 'radmin' are not associated 
with the RBN.  I have had good conversations with their security folk up 
there in the past.

01/09-16:32:53 TCP 198.63.210.130:80 
<https://gazit.hackertrap.net/base/base_stat_ipaddr.php?ip=198.63.210.130> 
--> 192.168.100.188:4074 
<https://gazit.hackertrap.net/base/base_stat_ipaddr.php?ip=192.168.100.188>
[1:2407012:101] <http://www.snort.org/pub-bin/sigs.cgi?sid=2407012> ET 
RBN Known Russian Business Network Monitored Domains - BLOCKING (13)

host fam4.famatech.com
fam4.famatech.com has address 198.63.210.130

I don't think they share a netblock with anyone.

anyone using radmin and trying to get an update, might get blocked for a 
day: (and it looks like you have it in two lists?) 13 and 14?

grep 198.63.210 /etc/snort/rules/*
/etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip 
[195.42.103.91,195.5.116.0/24,195.5.117.0/24,195.64.140.0/23,195.64.162.0/23,195.64.190.1,195.66.132.0/24,195.95.218.0/23,196.2.198.240,198.63.210.0/24] 
any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network 
Monitored Domains - BLOCKING (13)"; 
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; 
threshold: type limit, track by_src, seconds 60, count 1; 
classtype:misc-attack; sid:2407012; rev:101; fwsam: src, 24 hours;)

/etc/snort/rules/emerging-rbn-BLOCK.rules:alert ip 
[198.63.210.123,198.63.211.208,198.63.211.8,199.237.229.158,200.115.160.0/20,200.155.17.172,200.46.83.245,200.63.42.136,200.63.42.141,200.63.42.81] 
any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network 
Monitored Domains - BLOCKING (14)"; 
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; 
threshold: type limit, track by_src, seconds 60, count 1; 
classtype:misc-attack; sid:2407013; rev:101; fwsam: src, 24 hours;)

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * King of Spam Filters, SC Magazine 2008
    * Information Security Award 2008, Info Security Products Guide
    * CRN Magazine Top 40 Emerging Security Vendors

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________


More information about the Emerging-sigs mailing list