alert ip any any -> any any (msg:"Shections"; flow:eStablished; app-layer-event:applayer_mgsmatference:ur ,fteshold: type limit, track by_src, seconds 3600, count 11.0/24,4,k; flowbitsds 3600, Count 11.0/2:set,ET.Evil; 328;)
