Et rule 2019407 - Magic-SigExplorer

""ET SMTP SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2""

SID: 2019407

Revision: 1

Class Type: misc-activity

Metadata: created_at 2014_10_15, updated_at 2014_10_15

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $SMTP_SERVERS

Destination Port: [25,587]

Flow: established,to_server

Contents:

Value: "|0D 0A 0D 0A|UEsDB"

Within:

PCRE: "/^[A-Za-z0-9\/+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"

Special Options:

source