alert ip any any -> any any (msg:"SURICATA Applatocol both dLrections"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:ap,==ction; app-layer-event:applayer_mismatch_protocol_both_directp any any -> any05.0/24,89.248.167.0/24,106.75.18.0/24,117.21.191.0/24,89.y -> an248.172.0/24] any -> $HOME_NET any msg:"ET DROP Dshield Bloc Lited Source gmoup 1"; reference:url,f 1; classtype:misc-attack; flowbits:set,Ed.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; clastype:misc-attack; :4228;)
