List Info

Thread: New sig submission Gmail SMTP outbound
New sig submission Gmail SMTP outbound
user name
 2006-07-28 13:29:31 

  


  

    





I noticed this through my own fracture of corporate policy. 



 



The current signature (2001426) only looks for messages send
using the Gmail web interface; however Gmail offers a free POP service and
inbound SMTP server for users to connect to using their mail clients.  The
following is assuming any connection to smtp.gmail.com on port 465 to be an
outgoing Gmail message.



 



Ref: http://mail.google.com/support/bin/answer.py?answer=13278



 



Note: they use an SSL connection, this packet is just part
of the handshake.



 



09:08:39.418536 10.70.1.5.1459 > 64.233.185.109.465: P
396:431(35) ack 1295 win 64241 (DF)



           ;           ;  
4500 004b c388 4000 8006 3183 0a46 0105



           ;           ;  
40e9 b96d 05b3 01d1 d64a e8f5 12ff 3839



           ;           ;  
5018 faf1 d796 0000 1703 0100 1e18 9821



           ;           ;  
b6be b128 7f75 7742 229c d295 5a48 3129



           ;           ;  
b78e 0a52 de7d b2b4 7aef 4a



 



 



I don’t know if you can modify the current sig to look
for this, because if you used an or operator for both the destination IP and
destination port you would end up triggering on $HOME_NET any ->
$EXTERNAL_NET 465 which would probably be many false positives.



 



New sig:



 



alert tcp $HOME_NET any -> [64.233.185.111,
64.233.185.109,
216.239.57.25,
64.233.167.25,
64.233.183.25]
465 (msg: "BLEEDING-EDGE POLICY Gmail SMTP Message Send"; flow:
to_server,established; content:"Content-Disposition\: form-data\;
name=\"to\";"; nocase; content:"Content-Disposition\:
form-data\; name=\"msgbody\""; nocase; classtype:
policy-violation; sid: *******; rev:1; )



 



smtp.gmail.com resolves as an alias to smtp1.google.com,
smtp2, and smtp3 depending on your location and service provider.



 



 



-- 



Jon Scheidell



Security Engineer



Secnap Network Security



(561) 999-5000 x:4110



www.secnap.com



 






  

  
  
   
     
    

  

    New sig submission Gmail SMTP outbound
  


  

     user name

     2006-07-28 13:43:22
  


  

    
Good sig, good research!

I'm confused though. If they're running ssl on 465, which
they should
be, how can we get the content disposition match in the sig?

Matt

Jonathan Scheidell wrote:
> I noticed this through my own fracture of corporate
policy.
> 
>  
> 
> The current signature (2001426) only looks for messages
send using the
> Gmail web interface; however Gmail offers a free POP
service and inbound
> SMTP server for users to connect to using their mail
clients.  The
> following is assuming any connection to smtp.gmail.com
on port 465 to be
> an outgoing Gmail message.
> 
>  
> 
> Ref: http://mail.google.com/support/bin/answer.py?answer=132
78
> 
>  
> 
> Note: they use an SSL connection, this packet is just
part of the handshake.
> 
>  
> 
> 09:08:39.418536 10.70.1.5.1459 > 64.233.185.109.465:
P 396:431(35) ack
> 1295 win 64241 (DF)
> 
>                          4500 004b c388 4000 8006 3183
0a46 0105
> 
>                          40e9 b96d 05b3 01d1 d64a e8f5
12ff 3839
> 
>                          5018 faf1 d796 0000 1703 0100
1e18 9821
> 
>                          b6be b128 7f75 7742 229c d295
5a48 3129
> 
>                          b78e 0a52 de7d b2b4 7aef 4a
> 
>  
> 
>  
> 
> I don’t know if you can modify the current sig to look
for this, because
> if you used an or operator for both the destination IP
and destination
> port you would end up triggering on $HOME_NET any ->
$EXTERNAL_NET 465
> which would probably be many false positives.
> 
>  
> 
> New sig:
> 
>  
> 
> alert tcp $HOME_NET any -> [64.233.185.111,
64.233.185.109,
> 216.239.57.25, 64.233.167.25, 64.233.183.25] 465 (msg:
"BLEEDING-EDGE
> POLICY Gmail SMTP Message Send"; flow:
to_server,established;
> content:"Content-Disposition\: form-data\;
name=\"to\""; nocase;
> content:"Content-Disposition\: form-data\;
name=\"msgbody\""; nocase;
> classtype: policy-violation; sid: *******; rev:1; )
> 
>  
> 
> smtp.gmail.com resolves as an alias to
smtp1.google.com, smtp2, and
> smtp3 depending on your location and service provider.
> 
>  
> 
>  
> 
> -- 
> 
> Jon Scheidell
> 
> Security Engineer
> 
> Secnap Network Security
> 
> (561) 999-5000 x:4110
> 
> www.secnap.com
> 
>  
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs


  


  

    
  

  
  
   
     
    






 [1-2]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )