[Snort-users] pop: Unknown POP3 response/command

Joel Esler (jesler) jesler at ...589...
Fri Dec 18 10:52:34 EST 2015


Well, good news is, it's not a false positive.  Snort is just seeing a command used in the POP3 traffic that isn't defined in the snort.conf.

Take a look at the alerts, isolate the commands being used, and compare them against the pop3 pre processor configuration in the snort.conf, and add the ones that you know are okay, and investigate the ones that aren't.


Sent from my iPad

On Dec 18, 2015, at 10:46 AM, Matteo De Rosa <matteo.derosa at ...17411...<mailto:matteo.derosa at ...17411...>> wrote:


I have just installed snort and I observe a lot of false (I suppose) positive. I start from this:

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_d>       <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_d>      <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total # ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_d>     Sensor #        <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_d>      <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_d>       <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_a> First ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_d>       <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_a> Last ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_d>
        [snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response       protocol-command-decode 2962<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)    1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1>     37


Source address is correctly our mail-server. Dest address are our LAN client.
Can it a version problem from server and client ?
But, the thing that is close to my heart: how can i ack this event and don't see in BASE web front-end ?


Thanks to all for any contribution

Matteo

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151218/58f2f9cf/attachment.html>


More information about the Snort-users mailing list