How to detect POP3 & IMAP?

smtp_pop3_imap.pcap (38.1 KB)
I want to detect e-mail protocol.Such as: SMTP,IMAP,POP3.Version 4.1.2


  - eve-log:
      - smtp


1.when i use the rule alert smtp any any <> any any (msg:"smtp event"; sid:1000015; rev:10;).smtp event more than wireshark displayed.

2.Based the official document.i write the rule as alert imap any any <> any any (msg:"imap4 event_test"; sid:1000016; rev:10;),
but is not work.So i use two rules replace it.

alert tcp any any -> any 143 (msg:"imap4 to_server"; sid:1000016; rev:10;)
alert tcp any 143 -> any any (msg:"imap4 to_client"; sid:1000017; rev:10;)

is this a problem?
how to solve it?

3.Do you have some suggest for detect pop3?
i write two rules about the 110 port of pop3.

alert tcp any any -> any 110 (msg:"POP3 to_server"; sid:1000013; rev:4;)
alert tcp any 110 -> any any (msg:"POP3 to_client"; sid:1000014; rev:4;)

it looks so imprecisely.

I can confirm that imap is not detected, we also miss a dedicated imap output similar to smtp. This is also a request in our redmine, see and also

What is wrong with the smtp event part exactly?

POP3 support also open, see

Thank u.I have to use the port specified by the POP3&IMAP protocol for detection first.

About the first question.

1.when i use the rule alert smtp any any <> any any (msg:"smtp event"; sid:1000015; rev:10;) .smtp event more than wireshark displayed.

I found the reason.The rule has led to an increase for events.
I delete the rules and solve the problem.
And i found a new problem.Some ftp event appeared when i detect POP3

@Andreas_Herz is there something similar for smtp not being supported too? I tried using ssmtp to send an email but it doesn’t seem to work (capturing the traffic with wireshark shows tcp traffic instead of smtp)-- still relatively new to this.

My rule:

alert smtp $HOME_NET any -> any any (msg:"Sensitive Data Leak";content:"Hello";flow:to_server;sid:15;rev:1;)

Do you have a pcap for that test?
Would be worth to remove the flow part for testing in the rule and also test alert ip instead of alert smtp to narrow down a potential issue.