Re: [Snort-inline-users] Snort_inline and POP3 loop

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Eric Scopinho wrote:
> Hi, maybe this is a silly question, but lets say I have a rule for POP3 
> blocking a malware (it can be a normal rule or using ClamAV preprocessor).
> When an internal user try to download the message, the packet wich 
> contain the malware will be drop (NF_DROP I guess).
> But since the email is still in his mailbox, this will not stay in 
> looping and the user will be unable of downloading the other messages 
> until someone remove the email from his mbox?
> If the above is true, is there some way of intercept 'trasnparently' the 
> packet and send a DELE msg to the POP3 Server? Maybe changing the 
> payload/saddr/daddr, etc of this packet using libipq?
> 

There are three options really.

1) write a preprocessor to handle this.
2) use replace instead of drop to render the malware ineffective
3) Catch the mail on the SMTP side and force the other mail server / 
malware sender to deal with it.