alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,from_server; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, cve CVE_2020_13699, deployment Perimeter, confidence High, signature_severity Major, tag Teamviewer, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_10;)