Snort: What POP3 Decoder Setting do?



  • What does this menu do…see pic. My web host provider claimed that some spam activity came from my IP and their log show a  POP3:OVERFLOW:LINE  SRXB0  Mar 8, 2018, 6:22:37 PM  Buffer Overflow...can't show the IP addresses for privacy.

    Does it send email message with Barnyard enabled? The POP3 was going to port 110 on my web hosting provider which triggered an alert...so, I want to understand what that menu does. My hosting also claimed they don't have the email address the alleged activity came from.
    ![Screen Shot 2018-03-08 at 9.09.45 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-08 at 9.09.45 PM.png)
    ![Screen Shot 2018-03-08 at 9.09.45 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-08 at 9.09.45 PM.png_thumb)



  • @NollipfSense:

    What does this menu do…see pic. My web host provider claimed that some spam activity came from my IP and there log show a  POP3:OVERFLOW:LINE  SRXB0  Mar 8, 2018, 6:22:37 PM  Buffer Overflow...can't show the IP addresses for privacy.

    Does it send email message with Barnyard enabled? The POP3 was going to port 110 on my web hosting provider which triggered an alert...so, I want to understand what that menu does. My hosting also claimed they don't have the email address the alleged activity came from.

    Okay, my web hosting provider clarified that there was no spam activity from external IP address; however, there was "multiple POP3 checks." "Number of email checks for POP3 mailboxes is set to 100 per hour per account."

    What does that mean…here the info from the manual and of course it not clear what the POP preprocessor actually do exactly...

    2.2.9 POP Preprocessor
    POP is an POP3 decoder for user applications. Given a data buffer, POP will decode the buffer and find POP3 commands and responses. It will also mark the command, data header data body sections and extract the POP3 attachments and decode it appropriately.

    POP will handle stateful processing. It saves state between individual packets. However maintaining correct state is dependent on the reassembly of the server side of the stream (i.e., a loss of coherent stream data results in a loss of state).
    Stream should be turned on for POP. Please ensure that the POP ports are added to the stream5 ports for proper reassembly.
    The POP preprocessor uses GID 142 to register events.

    Hope someone can make this clear…so far, it seems that it communicates with my web-hosting provider's email server.  The underlined above seems important! Not sure where to add the ports...doesn't say mail nor show default port 110 either...see pic!

    ![Screen Shot 2018-03-09 at 9.32.20 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-09 at 9.32.20 AM.png)
    ![Screen Shot 2018-03-09 at 9.32.20 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-09 at 9.32.20 AM.png_thumb)



  • No, the POP3 preprocessor most definitely does not communicate with any mail server.  It is simply looking at the commands flowing back and forth between email clients on your network and whatever mail servers they are connecting to (assuming that traffic passes through Snort).  The line you underlined from the Snort manual is simply saying you need to tell the POP3 preprocessor what ports to be looking at within the incoming/outgoing datastream.  It does not imply that Snort is talking to the mail server, though.  Telling the POP3 decoder what port is in use lets it filter the traffic and only inspect data coming or going from the active POP3 port.

    You define the POP3 ports on the VARIABLES tab for the interface in Snort.  There are settings on that page for servers and ports.  Leaving boxes blank will use the default values which are shown in the help text under each box.

    Bill



  • @bmeeks:

    No, the POP3 preprocessor most definitely does not communicate with any mail server.  It is simply looking at the commands flowing back and forth between email clients on your network and whatever mail servers they are connecting to (assuming that traffic passes through Snort).  The line you underlined from the Snort manual is simply saying you need to tell the POP3 preprocessor what ports to be looking at within the incoming/outgoing datastream.  It does not imply that Snort is talking to the mail server, though.  Telling the POP3 decoder what port is in use lets it filter the traffic and only inspect data coming or going from the active POP3 port.

    You define the POP3 ports on the VARIABLES tab for the interface in Snort.  There are settings on that page for servers and ports.  Leaving boxes blank will use the default values which are shown in the help text under each box.

    Bill

    Thank you Bill for the detail explanation. Well, one cannot just add the port…one has to create an alias; so, I created two firewall aliases, inmail and outmail and added firewall...see pic. Then, I added the aliases to Snort's variables tab > SMTP >outmail and POP3 >inmail. But, I cannot send or receive mails...should I have added anything in the server section? I got this Snort alert and have since changed the source port. Had to hide destination IP for privacy on Snort alert pic. Outmail port is 465 and inmail port is 995.

    ![Screen Shot 2018-03-10 at 12.17.26 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-10 at 12.17.26 PM.png)
    ![Screen Shot 2018-03-10 at 12.17.26 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-10 at 12.17.26 PM.png_thumb)
    ![Screen Shot 2018-03-10 at 12.04.33 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-10 at 12.04.33 PM.png)
    ![Screen Shot 2018-03-10 at 12.04.33 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-10 at 12.04.33 PM.png_thumb)



  • @NollipfSense:

    @bmeeks:

    No, the POP3 preprocessor most definitely does not communicate with any mail server.  It is simply looking at the commands flowing back and forth between email clients on your network and whatever mail servers they are connecting to (assuming that traffic passes through Snort).  The line you underlined from the Snort manual is simply saying you need to tell the POP3 preprocessor what ports to be looking at within the incoming/outgoing datastream.  It does not imply that Snort is talking to the mail server, though.  Telling the POP3 decoder what port is in use lets it filter the traffic and only inspect data coming or going from the active POP3 port.

    You define the POP3 ports on the VARIABLES tab for the interface in Snort.  There are settings on that page for servers and ports.  Leaving boxes blank will use the default values which are shown in the help text under each box.

    Bill

    Thank you Bill for the detail explanation. Well, one cannot just add the port…one has to create an alias; so, I created two firewall aliases, inmail and outmail and added firewall...see pic. Then, I added the aliases to Snort's variables tab > SMTP >outmail and POP3 >inmail. But, I cannot send or receive mails...should I have added anything in the server section? I got this Snort alert and have since changed the source port. Had to hide destination IP for privacy on Snort alert pic. Outmail port is 465 and inmail port is 995.

    Port 995 is typically for POP3S (encrypted POP3), so Snort is going to have trouble seeing everything correctly on that port.  That rule is a "false positive" in your case because it is looking at an SSL encrypted datastream, so the byte patterns are not going to match the "standards" that Snort would see on a port 110 plain-text POP3 connection.  That's why the rule is triggering.

    So short answer is just disable that rule as it is going to fire on you a bunch and means nothing on an encrypted session.

    Bill



  • @bmeeks:

    @NollipfSense:

    @bmeeks:

    No, the POP3 preprocessor most definitely does not communicate with any mail server.  It is simply looking at the commands flowing back and forth between email clients on your network and whatever mail servers they are connecting to (assuming that traffic passes through Snort).  The line you underlined from the Snort manual is simply saying you need to tell the POP3 preprocessor what ports to be looking at within the incoming/outgoing datastream.  It does not imply that Snort is talking to the mail server, though.  Telling the POP3 decoder what port is in use lets it filter the traffic and only inspect data coming or going from the active POP3 port.

    You define the POP3 ports on the VARIABLES tab for the interface in Snort.  There are settings on that page for servers and ports.  Leaving boxes blank will use the default values which are shown in the help text under each box.

    Bill

    Thank you Bill for the detail explanation. Well, one cannot just add the port…one has to create an alias; so, I created two firewall aliases, inmail and outmail and added firewall...see pic. Then, I added the aliases to Snort's variables tab > SMTP >outmail and POP3 >inmail. But, I cannot send or receive mails...should I have added anything in the server section? I got this Snort alert and have since changed the source port. Had to hide destination IP for privacy on Snort alert pic. Outmail port is 465 and inmail port is 995.

    Port 995 is typically for POP3S (encrypted POP3), so Snort is going to have trouble seeing everything correctly on that port.  That rule is a "false positive" in your case because it is looking at an SSL encrypted datastream, so the byte patterns are not going to match the "standards" that Snort would see on a port 110 plain-text POP3 connection.  That's why the rule is triggering.

    So short answer is just disable that rule as it is going to fire on you a bunch and means nothing on an encrypted session.

    Bill

    Thank you Bill…disabling the rule worked and can now send, received emails from my SOHO...in time for Monday morning!