Re: [WARNING : A/V UNSCANNABLE] Re: pop: Unknown POP3 response/command

["Al Lewis (allewi)" <allewi () cisco com>]

What decoding methods do you have setup ( uuencoded, qp, base64 etc...)? Can you send what you have setup in your 
preprocessor? Have you tried lengthening your decoding depths?

Try to get the entire session in a pcap and see what the pop commands are (after decoding the data). The message you 
sent is truncated and if snort tries to read that it will throw an Unknown error command.
Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Matteo De Rosa [mailto:matteo.derosa () enea it]
Sent: Monday, January 11, 2016 10:14 AM
To: Joel Esler (jesler); snort-users () lists sourceforge net
Subject: [WARNING : A/V UNSCANNABLE] Re: [Snort-users] pop: Unknown POP3 response/command

this is the detail of one of the alert:

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!