PROTOCOL-IMAP -- Snort alerted on Internet Message Access Protocol (IMAP) traffic, an email retrieval system for clients over TCP/IP connection. This protocol handles emails on a remote server, so all actions are processed on that server rather than the user client. This protocol is vulnerable to injection, restriction and process evasions, leaks, relay abuse, and other attacks.
PROTOCOL-IMAP login brute force attempt
This event is generated when an attempt is made to gain access to an IMAP server using brute force methods. Impact: Attempted remote access. This event may indicate that an attacker is attempting to guess username and password combinations. Alternately, it may indicate that an authorized user has entered an incorrect username and password combination a number of times. Details: An IMAP server will issue an error message after a failed login attempt. This may be an indication of an attacker attempting brute force guessing of username and password combinations. It is also possible that an authorized user has incorrectly entered a legitimate username and password combination. This event will be generated after a number of failed attempts, in this case thirty attempted logins in thirty seconds. Ease of Attack: Simple
No information provided
No public information
Known false positives, with the described conditions
This event may be triggered by a failed IMAP login attempt from a remote user.
Cisco Talos Brian Caswell Nigel Houghton
No rule groups
None
No information provided
None
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
