alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Inbound Setup Message from SMTP Smuggling Tool"; flow:established,to_client; content:"From|3a 20|setup|5f|check|40|"; nocase; content:"To|3a 20|"; nocase; distance:0; content:"Subject|3a 20|SETUP|20|CHECK"; nocase; distance:0; content:"Date|3a 20|"; nocase; distance:0; content:"Message|2d|ID|3a 20|"; nocase; distance:0; content:"Your setup seems to be working! You can now proceed with smuggling tests!"; fast_pattern; nocase; distance:0; reference:cve,2023-51764; reference:url,github.com/The-Login/SMTP-Smuggling-Tools/blob/main/smtp_smuggling_scanner.py; reference:cve,2023-51766; reference:cve,2023-51765; classtype:trojan-activity; sid:2049923; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_01_05, cve CVE_2023_51765, deployment Perimeter, confidence High, signature_severity Critical, tag Exploit, updated_at 2024_01_05;)