Need help with creating signature for pop3

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help with creating signature for pop3

L1 Bithead

I would need some assistance with setting up a custom signature for pop3.


I need to make a signature for the USER  command returning "-ERR " currently the Pan vuln signature only triggers on the Pass command in vuln id 31709. I run into a fundamental issue which is the 7 bytes. pop3 does not have 7 bites min on return codes.


I'm suspecting I will need to do something like the following but this is not triggering.



'Server Ack

context unknown-rsp-tcp-payload

pattern "\+OK.{0,70}(POP3 MDaemon).{0,70}"

negate no


'User passes username

context unknown-req-tcp-payload

pattern "/user/i .{0,100}"

negate no



context unknown-rsp-tcp-payload

pattern "/\-ERR/i.{0,70}"

negate no


any idea on how I can get this done would be appreciated.



Hi Luciano,


We are targetting users sign-on failed auth message unfortunatly there is nothing more then the user command and the perameter the attacker uses. I don't need the brakets notice they did not make a diffrence if there in or not. (page 12-13) This is due to an attack we have seen and the last one was ~50K user attempts the bot never went to Pass command which would have trigger the failed login attempt. I have asked PA to step in at this point to develop some kind of recon signature for this type of attack/recon.


hopefully they will come up with something. Thanks for your help!





just to let you know - I checked, my idea with custom app won't work - it will not override settings of the default decoder. Scratch that and talk to PAN SE or TAC.


Best regards


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!