Re: pop: Unknown POP3 response/command

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

This is a preprocessor rule . This could be that the known /configured POP commands are truncated / altered somehow and 
snort is unable to read/interpret them. Check the traffic within a pcap to make sure its correct/valid.


Events
================================================================================
The POP preprocessor uses GID 142 to register events.


SID   Description
--------------------------------------------------------------------------------
  1   Alert if POP encounters an invalid POP3 command.
  2   Alert if POP encounters an invalid POP3 response.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Matteo De Rosa [mailto:matteo.derosa () enea it]
Sent: Friday, December 18, 2015 10:43 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] pop: Unknown POP3 response/command


I have just installed snort and I observe a lot of false (I suppose) positive. I start from this:

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=sig_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=class_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total # 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=occur_d>

 Sensor #

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=saddr_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=daddr_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_a> First 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=first_d>

 <<http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_a> Last 
> <http://192.168.18.112/base/base_stat_alerts.php?caller=&sort_order=last_d>

   [ ]

[snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response

protocol-command-decode

2962<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=543&sig_type=1>

37


Source address is correctly our mail-server. Dest address are our LAN client.
Can it a version problem from server and client ?
But, the thing that is close to my heart: how can i ack this event and don't see in BASE web front-end ?



Thanks to all for any contribution

Matteo

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!