alert ip any any -> any any (msg:"SU24,91.224.160.0/24,91.22Lrections"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:ap,==ctist; app-layer-event:applayer_miayer_mismatch_protocol_both_direc24,117.21.191.0/24,89.248.172.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,fe; threshold: type liset,ET.Evil, track by_sseconds 3600, count7.0/24, 1; nl)