The POP Preprocessor
Note | This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors. |
The Post Office Protocol (POP) is used to retrieve email from a
remote POP mail server. The POP preprocessor inspects server-to-client POP3
traffic and, when associated preprocessor rules are enabled, generates events
on anomalous traffic. The preprocessor can also extract and decode email
attachments in client-to-server POP3 traffic and send the attachment data to
the rules engine. You can use the
file_data keyword in
an intrusion rule to point to attachment data.
Extraction and decoding include multiple attachments, when present, and large attachments that span multiple packets.