[Snort-users] Unknown POP3 response/command

Al Lewis (allewi) allewi at ...589...
Tue Jan 12 09:39:30 EST 2016


I am not familiar with BASE so someone else will have to help you with that.

Use tcpdump/wireshark/snoop etc... to capture one of those email sessions.  (You can replay the traffic back into snort and see if you have the traffic in question that is giving you the alerts.)

If you do have the traffic then open it in wireshark to view the entire tcp stream (use the 'follow tcp stream' option) and go from there.

Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Matteo De Rosa [mailto:matteo.derosa at ...17411...]
Sent: Tuesday, January 12, 2016 7:40 AM
To: Al Lewis (allewi)
Cc: Joel Esler (jesler); snort-users at lists.sourceforge.net
Subject: pop: Unknown POP3 response/command

I have similar alerts for POP and IMAP :

[snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response

protocol-command-decode

523<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=18&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=18&sig_type=1>

1<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=18>

30<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=18>


[snort<http://www.snort.org/search/sid/142-1>] pop: Unknown POP3 command

protocol-command-decode

941<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=19&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=19&sig_type=1>

45<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=19>

1<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=19>


[snort<http://www.snort.org/search/sid/141-1>] imap: Unknown IMAP4 command

protocol-command-decode

450<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=26&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=26&sig_type=1>

19<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=26>

1<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=26>


Decodind method specified in short.conf are:

# POP preprocessor. For more information see README.pop
preprocessor pop: \
   ports { 110 } \
   b64_decode_depth 0 \
   qp_decode_depth 0 \
   bitenc_decode_depth 0 \
   uu_decode_depth 0

# IMAP preprocessor.  For more information see README.imap
preprocessor imap: \
   ports { 143 } \
   b64_decode_depth 0 \
   qp_decode_depth 0 \
   bitenc_decode_depth 0 \
   uu_decode_depth 0

All are related to the unic ENEA-mail-server and a lot of Enea-client .

How can I get the entire session in a pcap ? By BASE  ? And how ?

Many thank's for collaboration.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160112/3e818014/attachment.html>


More information about the Snort-users mailing list