The IMAP Preprocessor
Note | This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors. |
The Internet Message Application Protocol (IMAP) is used to
retrieve email from a remote IMAP server. The IMAP preprocessor inspects
server-to-client IMAP4 traffic and, when associated preprocessor rules are
enabled, generates events on anomalous traffic. The preprocessor can also
extract and decode email attachments in client-to-server IMAP4 traffic and send
the attachment data to the rules engine. You can use the
file_data keyword in
an intrusion rule to point to the attachment data.
Extraction and decoding include multiple attachments, when present, and large attachments that span multiple packets.