Sourcefire VRT Rules Update

Date: 2011-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18840 <-> DISABLED <-> SMTP .mad attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18839 <-> DISABLED <-> SMTP .lnk attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18838 <-> DISABLED <-> SMTP .ksh attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18837 <-> DISABLED <-> SMTP .jse attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18836 <-> DISABLED <-> SMTP .js attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18835 <-> DISABLED <-> SMTP .its attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18834 <-> DISABLED <-> SMTP .isp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18833 <-> DISABLED <-> SMTP .ins attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18832 <-> DISABLED <-> SMTP .inf attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18831 <-> DISABLED <-> SMTP .hta attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18830 <-> DISABLED <-> SMTP .hpj attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18829 <-> DISABLED <-> SMTP .hlp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18828 <-> DISABLED <-> SMTP .gadget attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18827 <-> DISABLED <-> SMTP .fxp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18826 <-> DISABLED <-> SMTP .exe attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18825 <-> DISABLED <-> SMTP .der attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18824 <-> DISABLED <-> SMTP .csh attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18823 <-> DISABLED <-> SMTP .crt attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18822 <-> DISABLED <-> SMTP .cpl attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18821 <-> DISABLED <-> SMTP .com attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18900 <-> ENABLED <-> BLACKLIST URI request for known malicious USI (W32.Swizzor -- blacklist.rules)
 * 1:18899 <-> DISABLED <-> SMTP .xnk attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18898 <-> DISABLED <-> SMTP .wsh attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18897 <-> DISABLED <-> SMTP .wsf attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18896 <-> DISABLED <-> SMTP .wsc attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18895 <-> DISABLED <-> SMTP .ws attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18894 <-> DISABLED <-> SMTP .vsw attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18893 <-> DISABLED <-> SMTP .vsmacros attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18892 <-> DISABLED <-> SMTP .vbs attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18891 <-> DISABLED <-> SMTP .vbp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18890 <-> DISABLED <-> SMTP .vbe attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18889 <-> DISABLED <-> SMTP .vb attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18888 <-> DISABLED <-> SMTP .url attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18887 <-> DISABLED <-> SMTP .tmp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18886 <-> DISABLED <-> SMTP .psc2 attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18885 <-> DISABLED <-> SMTP .psc1 attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18884 <-> DISABLED <-> SMTP .ps2xml attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18883 <-> DISABLED <-> SMTP .ps2 attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18882 <-> DISABLED <-> SMTP .ps1xml attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18881 <-> DISABLED <-> SMTP .ps1 attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18880 <-> DISABLED <-> SMTP .shs attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18879 <-> DISABLED <-> SMTP .shb attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18878 <-> DISABLED <-> SMTP .sct attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18877 <-> DISABLED <-> SMTP .scr attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18876 <-> DISABLED <-> SMTP .scf attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18875 <-> DISABLED <-> SMTP .reg attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18874 <-> DISABLED <-> SMTP .pst attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18873 <-> DISABLED <-> SMTP .prg attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18872 <-> DISABLED <-> SMTP .prf attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18871 <-> DISABLED <-> SMTP .plg attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18870 <-> DISABLED <-> SMTP .pif attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18869 <-> DISABLED <-> SMTP .pcd attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18868 <-> DISABLED <-> SMTP .osd attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18867 <-> DISABLED <-> SMTP .ops attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18866 <-> DISABLED <-> SMTP .mst attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18865 <-> DISABLED <-> SMTP .msp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18864 <-> DISABLED <-> SMTP .msi attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18863 <-> DISABLED <-> SMTP .msh2xml attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18862 <-> DISABLED <-> SMTP .msh1xml attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18861 <-> DISABLED <-> SMTP .mshxml attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18860 <-> DISABLED <-> SMTP .msh2 attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18859 <-> DISABLED <-> SMTP .msh1 attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18858 <-> DISABLED <-> SMTP .msh attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18857 <-> DISABLED <-> SMTP .msc attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18856 <-> DISABLED <-> SMTP .mdz attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18855 <-> DISABLED <-> SMTP .mdw attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18854 <-> DISABLED <-> SMTP .mdt attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18853 <-> DISABLED <-> SMTP .mde attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18852 <-> DISABLED <-> SMTP .mdb attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18851 <-> DISABLED <-> SMTP .mda attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18850 <-> DISABLED <-> SMTP .maw attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18849 <-> DISABLED <-> SMTP .mav attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18848 <-> DISABLED <-> SMTP .mau attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18847 <-> DISABLED <-> SMTP .mat attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18846 <-> DISABLED <-> SMTP .mas attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18845 <-> DISABLED <-> SMTP .mar attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18844 <-> DISABLED <-> SMTP .maq attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18843 <-> DISABLED <-> SMTP .mam attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18842 <-> DISABLED <-> SMTP .mag attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18841 <-> DISABLED <-> SMTP .maf attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18820 <-> DISABLED <-> SMTP .cnt attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18819 <-> DISABLED <-> SMTP .cmd attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18818 <-> DISABLED <-> SMTP .chm attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18817 <-> DISABLED <-> SMTP .cer attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18816 <-> DISABLED <-> SMTP .bat attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18815 <-> DISABLED <-> SMTP .bas attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18814 <-> DISABLED <-> SMTP .asp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18813 <-> DISABLED <-> SMTP .app attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18812 <-> DISABLED <-> SMTP .adp attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18811 <-> DISABLED <-> SMTP .ade attachment file type blocked by Outlook detected (smtp.rules)
 * 1:18810 <-> ENABLED <-> WEB-CLIENT Microsoft Excel BIFF v5 file download attempt (web-client.rules)
 * 1:18809 <-> DISABLED <-> WEB-CLIENT Mozilla EnsureCachedAttrPraramArrays integer overflow attempt (web-client.rules)
 * 1:18808 <-> DISABLED <-> SMTP Ipswitch IMail Server List Mailer Reply-To address buffer overflow attempt (smtp.rules)
 * 1:18807 <-> ENABLED <-> DOS OpenLDAP Modrdn RDN NULL string denial of service attempt (dos.rules)
 * 1:18804 <-> DISABLED <->  WEB-MISC OpenLDAP Modrdn utf-8 string code execution attempt (web-misc.rules)
 * 1:18803 <-> DISABLED <->  WEB-MISC Oracle Java Runtime CMM readMabCurveData buffer overflow attempt (web-misc.rules)
 * 1:18802 <-> ENABLED <-> WEB-MISC HP Power Manager formExportDataLogs directory traversal attempt (web-misc.rules)
 * 1:18801 <-> ENABLED <-> WEB-CLIENT Adobe Acrobat/Reader JpxDecode invalid crgn memory corruption attempt (web-client.rules)
 * 1:18800 <-> DISABLED <-> SPECIFIC-THREATS Adobe RoboHelp Server Arbitrary File Upload (specific-threats.rules)
 * 1:18799 <-> DISABLED <-> DOS HP Data Protector Media Operations denial of service attempt (dos.rules)
 * 1:18798 <-> DISABLED <-> DOS HP Data Protector Media Operations denial of service attempt (dos.rules)
 * 1:18797 <-> ENABLED <-> WEB-MISC Oracle Secure Backup Administration property_box.php other variable command execution attempt (web-misc.rules)
 * 1:18796 <-> ENABLED <-> WEB-MISC Novell iManager ClassName handling overflow attempt (web-misc.rules)
 * 1:18795 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt (web-misc.rules)
 * 1:18794 <-> ENABLED <-> WEB-MISC RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt (web-misc.rules)
 * 1:18793 <-> ENABLED <-> WEB-MISC Novell ZENworks Configuration Management UploadServlet code execution attempt (web-misc.rules)
 * 1:18792 <-> ENABLED <-> WEB-MISC Novell ZENworks Configuration Management UploadServlet code execution attempt (web-misc.rules)
 * 1:18791 <-> DISABLED <-> EXPLOIT Novell ZENworks Configuration Management Preboot service code overflow attempt (exploit.rules)
 * 1:18790 <-> DISABLED <-> EXPLOIT Novell ZENworks Handheld Management ZfHIPCND.exe overflow attempt (exploit.rules)
 * 1:18789 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x26AC integer overflow attempt (scada.rules)
 * 1:18788 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBD integer overflow attempt (scada.rules)
 * 1:18787 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBC integer overflow attempt (scada.rules)
 * 1:18786 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x0FA7 integer overflow attempt (scada.rules)
 * 1:18785 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x0FA4 integer overflow attempt (scada.rules)
 * 1:18784 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DB0 integer overflow attempt (scada.rules)
 * 1:18783 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DAE integer overflow attempt (scada.rules)
 * 1:18782 <-> ENABLED <-> BLACKLIST URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a (blacklist.rules)
 * 1:18781 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x07D0 integer overflow attempt (scada.rules)
 * 1:18780 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x07D0 integer overflow attempt (scada.rules)
 * 1:18779 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 integer overflow attempt (scada.rules)
 * 1:18778 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 integer overflow attempt (scada.rules)
 * 1:18777 <-> DISABLED <-> SPECIFIC-THREATS HP data protector OmniInet service NULL dereference denial of service attempt (specific-threats.rules)
 * 1:18776 <-> DISABLED <-> WEB-CLIENT Adobe Shockwave Director pamm chunk memory corruption attempt (web-client.rules)
 * 1:18775 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /gpdcount (blacklist.rules)
 * 1:18774 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /linkscr.php (blacklist.rules)
 * 1:18773 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /stat.htm (blacklist.rules)
 * 1:18770 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari WebKit Range Object Remote Code Execution (specific-threats.rules)
 * 1:18769 <-> DISABLED <-> LDAP Novell eDirectory evtFilteredMonitorEventsRequest function heap overflow attempt (exploit.rules)
 * 1:18768 <-> ENABLED <-> SMTP Novell GroupWise internet agent RRULE parsing buffer overflow attempt (smtp.rules)
 * 1:18767 <-> DISABLED <-> TFTP Multiple TFTP product buffer overflow attempt (tftp.rules)
 * 1:18766 <-> ENABLED <-> SPECIFIC-THREATS OpenSSL CMS structure OriginatorInfo memory corruption attempt (specific-threats.rules)
 * 1:18765 <-> ENABLED <-> SPECIFIC-THREATS Majordomo2 smtp directory traversal attempt (specific-threats.rules)
 * 1:18764 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt (web-misc.rules)
 * 1:18763 <-> ENABLED <-> SPECIFIC-THREATS ActFax Server LPD/LPR Remote Buffer Overflow (specific-threats.rules)
 * 1:18762 <-> ENABLED <-> BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW (blacklist.rules)
 * 1:18761 <-> ENABLED <-> WEB-CGI Majordomo2 http directory traversal attempt (web-cgi.rules)
 * 1:18760 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - GET (web-misc.rules)
 * 1:18759 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - POST (web-misc.rules)
 * 1:18758 <-> ENABLED <-> POLICY Visual Basic script download attempt (policy.rules)
 * 1:18757 <-> ENABLED <-> ATTACK-RESPONSES Microsoft cmd.exe banner Windows Vista (attack-responses.rules)
 * 1:18756 <-> ENABLED <-> ATTACK-RESPONSES Microsoft cmd.exe banner Windows 7/Server 2008R2 (attack-responses.rules)
 * 1:18754 <-> ENABLED <-> EXPLOIT HP Data Protector Backup Client Service code execution attempt (exploit.rules)
 * 1:18753 <-> ENABLED <-> EXPLOIT Zend Server Java Bridge remote code execution attempt (exploit.rules)
 * 1:18752 <-> ENABLED <-> SCADA RealWin 2.1 FC_INFOTAG_SET_CONTROL overflow attempt (scada.rules)
 * 1:18751 <-> ENABLED <-> WEB-MISC Samba SWAT HTTP Authentication overflow attempt (web-misc.rules)
 * 1:18750 <-> ENABLED <-> SCADA RealWin 2.1 FC_SCRIPT_FCS_STARTPROG overflow attempt (scada.rules)
 * 1:18749 <-> ENABLED <-> SCADA RealWin 2.1 FC_CTAGLIST_FCS_XTAG overflow attempt (scada.rules)
 * 1:18748 <-> ENABLED <-> SCADA RealWin 2.1 FC_MISC_FCS_MSGx overflow attempt (scada.rules)
 * 1:18747 <-> ENABLED <-> SCADA RealWin 2.1 FC_BINFILE_FCS_xFILE overflow attempt (scada.rules)
 * 1:18746 <-> ENABLED <-> SCADA RealWin 2.1 FC_CTAGLIST_FCS_XTAG overflow attempt (scada.rules)
 * 1:18745 <-> ENABLED <-> WEB-MISC HP Power Manager formExportDataLogs buffer overflow attempt (web-misc.rules)
 * 1:18744 <-> ENABLED <-> WEB-CLIENT vlc player subtitle buffer overflow attempt (web-client.rules)
 * 1:18743 <-> ENABLED <-> WEB-MISC vlc player web interface format string attack (web-misc.rules)
 * 1:18742 <-> ENABLED <-> WEB-MISC IBM WebSphere Expect header cross-site scripting (web-misc.rules)
 * 1:18741 <-> ENABLED <-> WEB-ACTIVEX CrystalReports EnterpriseControls ActiveX clsid access (web-activex.rules)
 * 3:18755 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio Data Type Memory Corruption (specific-threats.rules)
 * 3:18771 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel ADO Object Parsing Code Execution (specific-threats.rules)
 * 3:18772 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel ADO Object Parsing Code Execution (specific-threats.rules)
 * 3:18805 <-> ENABLED <-> EXPLOIT Adobe Flash Player undefined tag exploit attempt (exploit.rules)
 * 3:18806 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel RealTimeData record exploit attempt (specific-threats.rules)

Modified Rules:


 * 1:17546 <-> DISABLED <-> POLICY Microsoft Media Player compressed skin download - .wmd (policy.rules)
 * 1:1975 <-> DISABLED <-> FTP DELE overflow attempt (ftp.rules)
 * 1:1762 <-> ENABLED <-> WEB-CGI phf arbitrary command execution attempt (web-cgi.rules)
 * 1:9641 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF simple index object parsing buffer overflow attempt (web-client.rules)
 * 1:9643 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object parsing buffer overflow attempt (web-client.rules)
 * 1:9642 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF codec list object parsing buffer overflow attempt (web-client.rules)
 * 1:1379 <-> DISABLED <-> FTP STAT overflow attempt (ftp.rules)
 * 1:16674 <-> ENABLED <-> WEB-MISC HP OpenView CGI parameter buffer overflow attempt (web-misc.rules)
 * 1:8478 <-> DISABLED <-> WEB-CLIENT Microsoft Publisher file download attempt (web-client.rules)
 * 1:2092 <-> ENABLED <-> RPC portmap proxy integer overflow attempt UDP (rpc.rules)
 * 3:17760 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel RealTimeData record exploit attempt (specific-threats.rules)
 * 3:16507 <-> ENABLED <-> WEB-CLIENT Internet Explorer onreadystatechange memory corruption attempt (web-client.rules)
 * 3:18062 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer CSS style memory corruption attempt (web-client.rules)
 * 3:14644 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer cross domain unfocusable HTML element (web-client.rules)
 * 3:13970 <-> ENABLED <-> WEB-CLIENT Microsoft Office eps filters memory corruption attempt (web-client.rules)
 * 3:18403 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer datasrc overflow attempt (web-client.rules)
 * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules)
 * 3:15114 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer embed src buffer overflow attempt (web-client.rules)
 * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules)
 * 3:16325 <-> ENABLED <-> SPECIFIC-THREATS Adobe JPEG2k uninitialized QCC memory corruption attempt (specific-threats.rules)
 * 3:17768 <-> ENABLED <-> EXPLOIT IE8 object event handler use after free exploit attempt (exploit.rules)
 * 3:15302 <-> ENABLED <-> DOS Microsoft Exchange System Attendant denial of service attempt (dos.rules)
 * 3:16236 <-> ENABLED <-> WEB-CLIENT Microsoft Excel file SxView record exploit attempt (web-client.rules)