[Snort-users] pop: Unknown POP3 response/command

Al Lewis (allewi) allewi at ...589...
Fri Dec 18 10:56:06 EST 2015


Hello,

This is a preprocessor rule . This could be that the known /configured POP commands are truncated / altered somehow and snort is unable to read/interpret them. Check the traffic within a pcap to make sure its correct/valid.


Events
================================================================================
The POP preprocessor uses GID 142 to register events.


SID   Description
--------------------------------------------------------------------------------
  1   Alert if POP encounters an invalid POP3 command.
  2   Alert if POP encounters an invalid POP3 response.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Matteo De Rosa [mailto:matteo.derosa at ...17411...]
Sent: Friday, December 18, 2015 10:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] pop: Unknown POP3 response/command


I have just installed snort and I observe a lot of false (I suppose) positive. I start from this:

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total # ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_d>

 Sensor #

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_a> First ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_a> Last ><http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_d>

   [ ]

[snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response

protocol-command-decode

2962<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1>

37


Source address is correctly our mail-server. Dest address are our LAN client.
Can it a version problem from server and client ?
But, the thing that is close to my heart: how can i ack this event and don't see in BASE web front-end ?



Thanks to all for any contribution

Matteo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151218/7132ead2/attachment.html>


More information about the Snort-users mailing list