alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>600; content:"/ecp/"; startswith; content:"__VIEWSTATEGENERATOR="; distance:0; content:"__VIEWSTATE="; distance:0; reference:url,www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keyscve; reference:cve,2020-0688; reference:url,www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/; classtype:attempted-admin; sid:2029540; rev:2; metadata:affected_product Web_Server_Applications, attack_target SMTP_Server, created_at 2020_02_26, cve CVE_2020_0688, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_03_02;)