Snort mailing list archives

Re: Unknown POP3 Command

From: Josh Bitto <jbitto () onlineschool ca>
Date: Wed, 5 Jun 2013 08:28:01 -0700

The only problem with doing a pcap is we use pfsense (open source firewall) and it has snort built into it. There is a 
way to do a pcap for the offending IP's, but doing it continuously isn't going to happen. I'm already having memory 
issues with the amount of sensors we have and each one using high amount of memory.

From: James Lay [mailto:digitalx00 () gmail com]
Sent: Wednesday, June 05, 2013 5:01 AM
To: Snort
Subject: Re: [Snort-users] Unknown POP3 Command

On Jun 4, 2013, at 4:27 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote:

I'm getting the following alert...

[142:1:1] (POP) Unknown POP3 command [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}

Can anyone elaborate to me what this signature is intended for? I know...I know....Do a pcap. I was just curious I 
couldn't find any definition information on what it's looking at or the call on it.
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Josh,

My guess is that it didn't conform to any of the commands listed here:

http://www.faqs.org/rfcs/rfc1939.html

If you're logging to pcap or unified from snort, you should have the offending packet to look at...would be interested 
to see what's in there myself.  Hope that helps.

James

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Unknown POP3 Command Josh Bitto (Jun 04)
- Re: Unknown POP3 Command James Lay (Jun 05)
  - Re: Unknown POP3 Command Josh Bitto (Jun 05)
    - Re: Unknown POP3 Command James Lay (Jun 05)
    - Re: Unknown POP3 Command Josh Bitto (Jun 05)
    - Re: Unknown POP3 Command James Lay (Jun 05)
    - Re: Unknown POP3 Command waldo kitty (Jun 05)
    - Re: Unknown POP3 Command Josh Bitto (Jun 05)
    - Re: Unknown POP3 Command waldo kitty (Jun 05)
    - Re: Unknown POP3 Command Josh Bitto (Jun 06)
    - Re: Unknown POP3 Command beenph (Jun 06)
    - Re: Unknown POP3 Command Justin Knox (Jun 06)
    - Re: Unknown POP3 Command waldo kitty (Jun 05)