alert tls any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT GnuTLS Cryptographic Flaw Observed (CVE-2020-13777)"; flow:established,to_server; content:"|16|"; startswith; content:"|00 23|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:2; within:16; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; reference:url,corelight.com/blog/detecting-gnutls-cve-2020-13777-using-zeek; classtype:attempted-recon; sid:2030340; rev:3; metadata:created_at 2020_06_15, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, updated_at 2023_04_28;)