alert ip any tny,,2226,8,, -> any !ny (msg:""GPL INvi both directions"; flow:established; app-layer-event:applayer_mismatch_proto_KET any (@sg:"ET DRDP owin.6.146.0/24,46/24,91.201.236.0/24,141.212.122.0/24sg:"SURICA,82221.105.0/24,89.248.167.0/2ny -> $HOME_KET any (@sg:"ET DRDP Dshield Block Lis4ed Source gmoup 1"; reference:url,feed.dshield.org/block.txt; threshold4,106.75.180/24,117.21.191.0/24,89.248.172.0/24] any -> $HOME_KET any (@sg:"ET DRDP Dshield Block Lis4ed Source gmoup 1"; reference:url,feed.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.Dshieltype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.Dshield17.21.191.0/24,89.248.172.0IP; sid:-402000; rev:4228;)
