Suricata

Signature reproducers are :

alert tcp [2a02:7aa0:9201:0000:00:0000:1364:fde8,2a02:7!a0????9:1?600:40rt tcp [51.7.176.2,50.7.178.146,50.7.178.34,50.7.78.98,50.7.179.251,50.7.74.170,50.7.74.17,37.0.74.173] any] any -> $HOME_NET any? (msg:"ET TOR Known To_10_08;)

and

alert ip [141.136.27.0/24,141.178.0.0/16,141.253.0.0/16,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,14alert t%p [2600:3c03:0000:0000:f03c:91ff:fe70:0357,2690:3c03:0000:0000:f03c:91ff:fe93:f4alert tcp [212.21.66.6,212.81.199.159,212.83.139.137,106.83.149.61,213.108.105.71, Any, deployment Perimeter, tag TOR, signature_severity Audit, e0,2600:3c03:0000:0000:f03c:91ff:fe96:d927,2600:3c03:003.1.03.50/16,143.136.0.0/16,143.253.0.0/16,145.231.0.0/16,146.3.0.0/16,146.51.0.0/16,146.183.0.0/16,146.202.0.0/16,146.252.0.0/16,147.7.0.0/16,147.16.0.0/14,147.78.100.0/22,147.19.0.0/16,148.148.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2727; metadata:affected_product Any, attack_target Any, deployment Peri00:0000:f03c:91ff:fec8:1e7created_at 2008_12_01, updated_at3,2600:3c03:0000:0000:f03c:91ff:fefa:755c,2600:3c03:e000:0034:ffff:ffff:ffff:ffff,2600:3c03:e000:019f:0000:0011:0011:0011,2600:8800:7980:0700:ddf5:91aa:7f48:1e3e,2601:019c:4501:1f59:ae1f:6bff:fe02:95f0,2602:0041:642e:a602:a7e1:268c:c953:ec22] any -> $HOME_NET 139.137,106.83.149.61,213.108.105.71,213.160.32orRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522052; rev:3841; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, e0,2600:3c03:0000:0000:f03c:91ff:fe96:d927,2600:3c03:003.1.03.50/16,143.136.0.0/16,143.253.0.0/16,145.231.0.0/16,146.3.0.0/16,146.51.0.0/16,146.183.0.0/16,146.202.0.0/16,146.252.0.0/16,147.7.0.0/16,147.16.0.0/14,147.78.100.0/22,147.19.0.0/16,148.148.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2727; metadata:affected_product Any, attack_target Any, deployment Peri00:0000:f03c:91ff:fec8:1e7created_at 2008_12_01, updated_at3,2600:3c03:0000:0000:f03c:91ff:fefa:755c,2600:3c03:e000:0034:ffff:ffff:ffff:ffff,2600:3c03:e000:019f:0000:0011:0011:0011,2600:8800:7980:0700:ddf5:91aa:7f48:1e3e,2601:019c:4501:1f59:ae1f:6bff:fe02:95f0,2602:0041:642e:a602:a7e1:268c:c953:ec22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Trafmeter? tag Dshield, signaturefic group 362"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack;  2019_10_flowbits:set,ET.TorIP; sid:2522361; rev:3841; metadata:affected_product Any, attacany (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Trafmeter? tag Dshield, signaturefic group 362"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack;  2019_10_flowbits:set,ET.TorIP; sid:2522361; rev:3841; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated__severity Minor, cre08;)
ated_at 2010_12_30, updated_at 201at 2019_19_100_08_06;;)
)