<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Candara;
        panose-1:2 14 5 2 3 3 3 2 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:Georgia;
        panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
        {font-family:inherit;
        panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Apple Chancery";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This is a preprocessor rule . This could be that the known /configured POP commands are truncated / altered somehow and snort is unable
 to read/interpret them. Check the traffic within a pcap to make sure its correct/valid.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Events<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">================================================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The POP preprocessor uses GID 142 to register events.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">SID   Description<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">--------------------------------------------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  1   Alert if POP encounters an invalid POP3 command.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">  2   Alert if POP encounters an invalid POP3 response.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#1F497D">Albert Lewis<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#888888">QA Software Engineer<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Georgia","serif";color:#999999">SOURCE</span><b><span style="font-family:"Georgia","serif";color:red">fire</span></b><span style="font-family:"Georgia","serif";color:#999999">, Inc.
</span><span style="font-family:"Georgia","serif";color:#888888">now part of </span>
<b><span style="font-family:"Georgia","serif";color:#31849B">Cisco</span></b><span style="font-family:"Georgia","serif";color:#888888"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#999999">9780 Patuxent Woods Drive<br>
Columbia, MD 21046 </span><span style="font-family:"Candara","sans-serif";color:#888888"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#999999">Phone: (office) </span><span style="font-family:"Candara","sans-serif";color:#1F497D">443.430.7112<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#999999">Email:
</span><span style="font-family:"Candara","sans-serif";color:#1F497D">allewi@...589...</span><span style="font-family:"Candara","sans-serif";color:#4F81BD"> </span><span style="font-family:"Candara","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Matteo De Rosa [mailto:matteo.derosa@...17411...]
<br>
<b>Sent:</b> Friday, December 18, 2015 10:43 AM<br>
<b>To:</b> snort-users@lists.sourceforge.net<br>
<b>Subject:</b> [Snort-users] pop: Unknown POP3 response/command<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:22.0pt;font-family:"inherit","serif";color:#212121">I have just installed snort and I observe a lot of false (I suppose) positive. I start from this:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;background:white;z-index:auto">
<tbody>
<tr>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_a"><span style="color:#223399;text-decoration:none"><</span></a> Signature <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_a"><span style="color:#223399;text-decoration:none"><</span></a> Classification <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_a"><span style="color:#223399;text-decoration:none"><</span></a> Total # <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> Sensor # <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_a"><span style="color:#223399;text-decoration:none"><</span></a> Source Address <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_a"><span style="color:#223399;text-decoration:none"><</span></a> Dest. Address <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_a"><span style="color:#223399;text-decoration:none"><</span></a> First <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
<td style="background:#C2C2C2;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_a"><span style="color:#223399;text-decoration:none"><</span></a> Last <a href="http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_d"><span style="color:#223399;text-decoration:none">></span></a> <o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td style="background:#DDDDDD;padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">   [ ]   <o:p></o:p></span></p>
</td>
<td valign="top" style="background:#DDDDDD;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[<a href="http://www.snort.org/search/sid/142-2" target="_ACID_ALERT_DESC"><b><span style="color:#223399;text-decoration:none">snort</span></b></a>] pop:
 Unknown POP3 response<o:p></o:p></span></p>
</td>
<td valign="top" style="background:#DDDDDD;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">protocol-command-decode<o:p></o:p></span></p>
</td>
<td valign="top" style="background:#DDDDDD;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1&submit=Query+DB&num_result_rows=-1"><b><span style="color:#223399;text-decoration:none">2962</span></b></a>(0%)<o:p></o:p></span></p>
</td>
<td valign="top" style="background:#DDDDDD;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1"><b><span style="color:#223399;text-decoration:none">1</span></b></a><o:p></o:p></span></p>
</td>
<td valign="top" style="background:#DDDDDD;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">37<o:p></o:p></span></p>
</td>
<td valign="top" style="background:#DDDDDD;padding:0in 0in 0in 0in"></td>
<td style="background:#DDDDDD;padding:0in 0in 0in 0in"></td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:22.0pt;color:#212121">Source address is </span><span style="font-size:22.0pt;font-family:"inherit","serif";color:#212121">correctly our
</span><span style="font-size:22.0pt;color:#212121">mail-server. Dest address are our LAN client.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:22.0pt;color:#212121">Can it a version problem from server and client ?</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:22.0pt;color:#212121">But, </span><span style="font-size:22.0pt;font-family:"inherit","serif";color:#212121">the thing that is close to my heart: how can i
</span><span style="font-size:22.0pt;color:#212121">ack this event and don't see in BASE web front-end ?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:22.0pt;color:#212121"><br>
<br>
</span><o:p></o:p></p>
<pre style="resize: none;white-space:pre-wrap;word-wrap: break-word;overflow:hidden" id="tw-target-text"><span lang="EN" style="font-family:"inherit","serif"">Thanks to all for any contribution</span><span style="font-family:"inherit","serif""><o:p></o:p></span></pre>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span style="font-size:10.5pt;font-family:"Apple Chancery","serif";color:black">Matteo</span></i><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>