alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSMTPD RCE Inbound (CVE-2020-7247)"; flow:established,to_server; content:"MAIL|20|FROM|3a|<|3b|"; fast_pattern; reference:url,blog.qualys.com/vulnerabilities-research/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247; reference:cve,2020-7247; classtype:attempted-admin; sid:2031621; rev:1; metadata:attack_target SMTP_Server, created_at 2021_02_17, cve CVE_2020_7247, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_02_17;)