Suricata

We are not strict enough when dealing with flags. This sig fires in
suricata, but fails to fire in snort because it appears as if snort
uses stricter checking for flags. So to get this to fire in snort I
need something like RA,12 or +R,12. As the ACK flag is set along with
the Reset flag.

alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet; sid:2002117; rev:5;)

19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
[S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
ecr 0,nop,wscale 7], length 0
19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
[R.], seq 0, ack 261064611, win 0, length 0