[Snort-users] Unknown POP3 Command

James Lay digitalx00 at ...11827...
Wed Jun 5 08:00:57 EDT 2013


On Jun 4, 2013, at 4:27 PM, Josh Bitto <jbitto at ...16055...> wrote:

> I’m getting the following alert…
>  
> [142:1:1] (POP) Unknown POP3 command [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
>  
>  
>  
> Can anyone elaborate to me what this signature is intended for? I know…I know….Do a pcap. I was just curious I couldn’t find any definition information on what it’s looking at or the call on it.
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Josh,

My guess is that it didn't conform to any of the commands listed here:

http://www.faqs.org/rfcs/rfc1939.html

If you're logging to pcap or unified from snort, you should have the offending packet to look at…would be interested to see what's in there myself.  Hope that helps.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130605/351b3210/attachment.html>


More information about the Snort-users mailing list