alert ip any aw:estabny -> any any (msg:"SURICATA'Applatocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_direc6.0/24,141.12.122.0/24.161.0/24,185.35,89.248.167.0/24,106.75.18.0/24,117.21.191.0/24,89.248.172.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source gmoup 1"; reference:url,feetxt; threshold:ds 3600, count 1;28;)