[Snort-users] pop: Unknown POP3 response/command

Matteo De Rosa matteo.derosa at ...17411...
Tue Jan 12 07:39:59 EST 2016


I have similar alerts for POP and IMAP :

[snort] pop: Unknown POP3 response	protocol-command-decode	523(0%)	1	1	30
[snort] pop: Unknown POP3 command	protocol-command-decode	941(0%)	1	45	1
[snort] imap: Unknown IMAP4 command	protocol-command-decode	450(0%)	1	19	1


Decodind method specified in short.conf are:

# POP preprocessor. For more information see README.pop
preprocessor pop: \
   ports { 110 } \
   b64_decode_depth 0 \
   qp_decode_depth 0 \
   bitenc_decode_depth 0 \
   uu_decode_depth 0

# IMAP preprocessor.  For more information see README.imap
preprocessor imap: \
   ports { 143 } \
   b64_decode_depth 0 \
   qp_decode_depth 0 \
   bitenc_decode_depth 0 \
   uu_decode_depth 0

All are related to the unic ENEA-mail-server and a lot of Enea-client .

> How can I get the entire session in a pcap ? By BASE  ? And how ?

Many thank's for collaboration.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160112/873c25e9/attachment.html>


More information about the Snort-users mailing list