Talos Rules 2015-08-13
Talos is aware of vulnerabilities affecting products from Apple Inc.

Apple QuickTime Vulnerabilities CVE-2015-3788 through CVE-2015-3792: Apple QuickTime for Windows suffers from programming errors that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 12746.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 35560 through 35568.

Talos has also added and modified multiple rules in the browser-ie, browser-other, file-flash, file-image, file-multimedia, file-office, netbios, os-windows, protocol-icmp and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-08-13 20:47:06 UTC

Snort Subscriber Rules Update

Date: 2015-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35560 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)
 * 1:35561 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35562 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35563 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35564 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35565 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35566 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35567 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35568 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)

Modified Rules:


 * 1:16534 <-> DISABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt  (server-other.rules)
 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:12746 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)
 * 1:13476 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt  (server-iis.rules)
 * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules)
 * 1:16405 <-> DISABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt  (protocol-icmp.rules)
 * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)

2015-08-13 20:47:06 UTC

Snort Subscriber Rules Update

Date: 2015-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35567 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35568 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35565 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35566 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35563 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35564 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35561 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35562 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35560 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)

Modified Rules:


 * 1:12746 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)
 * 1:13476 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt  (server-iis.rules)
 * 1:16534 <-> DISABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt  (server-other.rules)
 * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules)
 * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules)
 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules)
 * 1:16405 <-> DISABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt  (protocol-icmp.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)

2015-08-13 20:47:06 UTC

Snort Subscriber Rules Update

Date: 2015-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35568 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35567 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35566 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35564 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35565 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35562 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35563 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35560 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)
 * 1:35561 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)

Modified Rules:


 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules)
 * 1:16534 <-> DISABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt  (server-other.rules)
 * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:12746 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)
 * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules)
 * 1:13476 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt  (server-iis.rules)
 * 1:16405 <-> DISABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt  (protocol-icmp.rules)
 * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)

2015-08-13 20:47:06 UTC

Snort Subscriber Rules Update

Date: 2015-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35568 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35567 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt (file-multimedia.rules)
 * 1:35566 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35565 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid url atom out of bounds read attempt (file-multimedia.rules)
 * 1:35564 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35563 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt (file-multimedia.rules)
 * 1:35562 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35561 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35560 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)

Modified Rules:


 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules)
 * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:12746 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt (file-multimedia.rules)
 * 1:13476 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt  (server-iis.rules)
 * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:16534 <-> DISABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt  (server-other.rules)
 * 1:16405 <-> DISABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt  (protocol-icmp.rules)
 * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)