[Snort-users] Unknown POP3 Command

James Lay digitalx00 at ...11827...
Wed Jun 5 08:00:57 EDT 2013

On Jun 4, 2013, at 4:27 PM, Josh Bitto <jbitto at ...16055...> wrote:

> I’m getting the following alert…
> [142:1:1] (POP) Unknown POP3 command [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
> Can anyone elaborate to me what this signature is intended for? I know…I know….Do a pcap. I was just curious I couldn’t find any definition information on what it’s looking at or the call on it.
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


My guess is that it didn't conform to any of the commands listed here:


If you're logging to pcap or unified from snort, you should have the offending packet to look at…would be interested to see what's in there myself.  Hope that helps.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130605/351b3210/attachment.html>

More information about the Snort-users mailing list