""ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3""
SID: 2022937
Revision: 2
Class Type: attempted-admin
Metadata: created_at 2016_06_30, updated_at 2022_05_03
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: any
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "Content-Type|3a 20|"
-
Value: "name"
-
Value: "|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"
Within:
PCRE: "/^\s=\s[\x22\x27][^\x22\x27\r\n]{78}/R"
Special Options:
-
nocase
-
nocase