Re: pop: Unknown POP3 response/command

["Joel Esler (jesler)" <jesler () cisco com>]

Well, good news is, it's not a false positive.  Snort is just seeing a command used in the POP3 traffic that isn't 
defined in the snort.conf.

Take a look at the alerts, isolate the commands being used, and compare them against the pop3 pre processor 
configuration in the snort.conf, and add the ones that you know are okay, and investigate the ones that aren't.


Sent from my iPad

On Dec 18, 2015, at 10:46 AM, Matteo De Rosa <matteo.derosa () enea it<mailto:matteo.derosa () enea it>> wrote:


I have just installed snort and I observe a lot of false (I suppose) positive. I start from this:

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_d>       
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_d>      
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total # 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_d>     Sensor #        
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_d>      
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_d>       
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_a> First 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_d>       
<<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_a> Last 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_d>
        [snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response       protocol-command-decode 
2962<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)
    1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1>     37


Source address is correctly our mail-server. Dest address are our LAN client.
Can it a version problem from server and client ?
But, the thing that is close to my heart: how can i ack this event and don't see in BASE web front-end ?


Thanks to all for any contribution

Matteo

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!