""ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2""
SID: 2022932
Revision: 1
Class Type: attempted-admin
Metadata: created_at 2016_06_30, updated_at 2016_06_30
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "Content-Type|3a 20|"
-
Value: "name"
-
Value: "|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"
Within:
PCRE: "/^\s=\s[\x22\x27][^\x22\x27\r\n]{78}/R"
Special Options:
-
file_data
-
nocase
-
nocase