Snort mailing list archives
Re: pop: Unknown POP3 response/command
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 18 Dec 2015 15:52:34 +0000
Well, good news is, it's not a false positive. Snort is just seeing a command used in the POP3 traffic that isn't defined in the snort.conf. Take a look at the alerts, isolate the commands being used, and compare them against the pop3 pre processor configuration in the snort.conf, and add the ones that you know are okay, and investigate the ones that aren't. Sent from my iPad On Dec 18, 2015, at 10:46 AM, Matteo De Rosa <matteo.derosa () enea it<mailto:matteo.derosa () enea it>> wrote: I have just installed snort and I observe a lot of false (I suppose) positive. I start from this: <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_d>
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_d>
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total #
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_d> Sensor #
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_d>
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_d>
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_a> First
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_d>
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_a> Last
<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_d>
[snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response protocol-command-decode 2962<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%) 1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1> 37 Source address is correctly our mail-server. Dest address are our LAN client. Can it a version problem from server and client ? But, the thing that is close to my heart: how can i ack this event and don't see in BASE web front-end ? Thanks to all for any contribution Matteo ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pop: Unknown POP3 response/command Matteo De Rosa (Dec 18)
- Re: pop: Unknown POP3 response/command Joel Esler (jesler) (Dec 18)
- Re: pop: Unknown POP3 response/command Al Lewis (allewi) (Dec 18)