VRT Rules 2014-07-17
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-firefox, browser-ie, file-office, file-pdf, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-17 14:54:43 UTC

Sourcefire VRT Rules Update

Date: 2014-07-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules)
 * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules)
 * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules)
 * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)

Modified Rules:


 * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules)
 * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules)
 * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules)
 * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules)
 * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules)
 * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules)
 * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules)
 * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)

2014-07-17 14:54:43 UTC

Sourcefire VRT Rules Update

Date: 2014-07-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules)
 * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules)
 * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules)
 * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)

Modified Rules:


 * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules)
 * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules)
 * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules)
 * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules)
 * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules)
 * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules)
 * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules)
 * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)

2014-07-17 14:54:43 UTC

Sourcefire VRT Rules Update

Date: 2014-07-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules)
 * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules)
 * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules)
 * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)

Modified Rules:


 * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules)
 * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules)
 * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules)
 * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules)
 * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules)
 * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules)
 * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules)
 * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)

2014-07-17 14:54:43 UTC

Sourcefire VRT Rules Update

Date: 2014-07-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules)
 * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules)
 * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules)
 * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules)
 * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules)
 * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)

Modified Rules:


 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules)
 * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules)
 * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules)
 * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules)
 * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules)
 * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules)
 * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules)
 * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules)
 * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)