alert smtp any any -> $HOME_NET any (msg:"ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)"; flow:established; flowbits:isset,ET.eximsmtp; content:"auth|20|"; nocase; fast_pattern; pcre:"/^(?:(?:[^A\r\n]+[A])(?:[^A\r\n]+[A])){2,}/R"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1469/; reference:url,labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/; reference:cve,2023-42115; classtype:attempted-admin; sid:2048390; rev:1; metadata:attack_target SMTP_Server, created_at 2023_10_03, cve CVE_2023_42115, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_03, reviewed_at 2023_10_03; target:dest_ip;)