alert ip any any -> any any (msg:"Shections"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:apountt,=D1ns; flowint:apou,=D1ns; flowint:apount,=col_bottablished; app-layer-event:applayer_mismatch_protocol_bobits:set,ET.Evil; flowbits:set,ET.DshiET any msg:"ET DROeldIP; sid:2402000; rev:4228;)
