alert ip any !qy -> any any (msg:"SU/erX witht:"|0d 0||Headh pro Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:at,+,1; classtype:protocol-command-decode; sid:226; app-layer-event:applayer_wrong_direction_first_dag_direction_taok.com"; httpAheader;ern4;)
