Re: Unknown POP3 response/command

["Al Lewis (allewi)" <allewi () cisco com>]

I am not familiar with BASE so someone else will have to help you with that.

Use tcpdump/wireshark/snoop etc... to capture one of those email sessions.  (You can replay the traffic back into snort 
and see if you have the traffic in question that is giving you the alerts.)

If you do have the traffic then open it in wireshark to view the entire tcp stream (use the 'follow tcp stream' option) 
and go from there.

Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Matteo De Rosa [mailto:matteo.derosa () enea it]
Sent: Tuesday, January 12, 2016 7:40 AM
To: Al Lewis (allewi)
Cc: Joel Esler (jesler); snort-users () lists sourceforge net
Subject: pop: Unknown POP3 response/command

I have similar alerts for POP and IMAP :

[snort<http://www.snort.org/search/sid/142-2>] pop: Unknown POP3 response

protocol-command-decode

523<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=18&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=18&sig_type=1>

1<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=18>

30<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=18>


[snort<http://www.snort.org/search/sid/142-1>] pop: Unknown POP3 command

protocol-command-decode

941<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=19&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=19&sig_type=1>

45<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=19>

1<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=19>


[snort<http://www.snort.org/search/sid/141-1>] imap: Unknown IMAP4 command

protocol-command-decode

450<http://192.168.18.112/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=26&sig_type=1&submit=Query+DB&num_result_rows=-1>(0%)

1<http://192.168.18.112/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=26&sig_type=1>

19<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=26>

1<http://192.168.18.112/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=26>


Decodind method specified in short.conf are:

# POP preprocessor. For more information see README.pop
preprocessor pop: \
   ports { 110 } \
   b64_decode_depth 0 \
   qp_decode_depth 0 \
   bitenc_decode_depth 0 \
   uu_decode_depth 0

# IMAP preprocessor.  For more information see README.imap
preprocessor imap: \
   ports { 143 } \
   b64_decode_depth 0 \
   qp_decode_depth 0 \
   bitenc_decode_depth 0 \
   uu_decode_depth 0

All are related to the unic ENEA-mail-server and a lot of Enea-client .

How can I get the entire session in a pcap ? By BASE  ? And how ?

Many thank's for collaboration.


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!