""ET SMTP Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)""

SID: 2023255

Revision: 1

Class Type: bad-unknown

Metadata: attack_target SMTP_Server, created_at 2016_09_22, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_22

Reference:

• Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $SMTP_SERVERS

Destination Port: [25,587]

Flow: to_server,established

Contents:

• Value: "|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"

• Value: "|0d 0a 2d 2d|"

Within:

PCRE: "/^(?P[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{0,69}?[^\x2d])--(?:\x0d\x0a(?!--|\x2e|RSET)[^\r\n]?)\x0d\x0a--(?P=boundary)\x0d\x0a/R"

Special Options:

source