Rule History

SID: 2016835 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 3 • May 8, 2013, 12:00 PM

Message:

ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_10_08;)

Created:

May 8, 2013, 12:00 PM

Updated:

Oct 8, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Oct 21, 2025, 10:35 PM

Filename:

rules/emerging-exploit.rules