alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Inbound Smuggling Message from SMTP Smuggling Tool M2"; flow:established,to_client; content:"From|3a 20|smuggled|40|"; nocase; content:"To|3a 20|"; nocase; distance:0; content:"Subject|3a 20|SMUGGLED|20|EMAIL"; nocase; distance:0; content:"Date|3a 20|"; nocase; distance:0; content:"Message|2d|ID|3a 20|"; nocase; distance:0; content:"SMUGGLING WORKS with"; nocase; distance:0; content:"as|20 22|fake|22 20|end|2d|of|2d|data|20|sequence|21|"; fast_pattern; nocase; distance:0; reference:cve,2023-51764; reference:url,github.com/The-Login/SMTP-Smuggling-Tools/blob/main/smtp_smuggling_scanner.py; reference:cve,2023-51766; reference:cve,2023-51765; classtype:trojan-activity; sid:2049925; rev:2; metadata:attack_target Client_Endpoint, created_at 2024_01_05, cve CVE_2023_51766, deployment Perimeter, confidence High, signature_severity Critical, tag Exploit, updated_at 2024_01_31;)