Warning, /frameworks/syntax-highlighting/autotests/reference/test.suricata.ref is written in an unsupported language. File is not indexed.

 <Comment># Suricata Samples</Comment><br/>
 <Comment># See: https://suricata.readthedocs.io/en/latest/rules/intro.html</Comment><br/>
 <Normal Text></Normal Text><br/>
 <Action>drop</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>$HOME_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>$EXTERNAL_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>msg</Options Keyword><Normal Text>:</Normal Text><String>”ET TROJAN Likely Bot Nick in IRC (USA +..)”</String><Normal Text>; </Normal Text><Options Keyword>flow</Options Keyword><Normal Text>:established,to_server; </Normal Text><Options Keyword>flowbits</Options Keyword><Normal Text>:isset,is_proto_irc; </Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>”NICK ”</String><Normal Text>; </Normal Text><Options Keyword>pcre</Options Keyword><Normal Text>:</Normal Text><String>”/NICK .*USA.*[0-9]{3,}/i”</String><Normal Text>; </Normal Text><Options Keyword>reference</Options Keyword><Normal Text>:url,doc.emergingthreats.net/</Normal Text><Decimal>2008124</Decimal><Normal Text>; </Normal Text><Options Keyword>classtype</Options Keyword><Normal Text>:trojan-activity; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>2008124</Decimal><Normal Text>; </Normal Text><Options Keyword>rev</Options Keyword><Normal Text>:</Normal Text><Decimal>2</Decimal><Normal Text>;)</Normal Text><br/>
 <Normal Text></Normal Text><br/>
 <Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Decimal>1</Decimal><Normal Text>.</Normal Text><Decimal>2</Decimal><Normal Text>.</Normal Text><Decimal>3</Decimal><Normal Text>.</Normal Text><Decimal>4</Decimal><Normal Text> </Normal Text><Decimal>1024</Decimal><Normal Text> -> </Normal Text><Decimal>5</Decimal><Normal Text>.</Normal Text><Decimal>6</Decimal><Normal Text>.</Normal Text><Decimal>7</Decimal><Normal Text>.</Normal Text><Decimal>8</Decimal><Normal Text> </Normal Text><Decimal>80</Decimal><br/>
 <Normal Text></Normal Text><br/>
 <Action>alert</Action><Normal Text> </Normal Text><Header Keyword>http</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>"index.php"</String><Normal Text>; </Normal Text><Options Keyword>http_uri</Options Keyword><Normal Text>; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>1</Decimal><Normal Text>;)</Normal Text><br/>
 <Normal Text></Normal Text><br/>
 <Action>alert</Action><Normal Text> </Normal Text><Header Keyword>http</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (http_response_line; </Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>"403 Forbidden"</String><Normal Text>; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>1</Decimal><Normal Text>;)</Normal Text><br/>
 <Normal Text></Normal Text><br/>
 <Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>$EXTERNAL_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>$HOME_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>msg</Options Keyword><Normal Text>:</Normal Text><String>”GPL DELETED typot trojan traffic”</String><Normal Text>; </Normal Text><Options Keyword>flow</Options Keyword><Normal Text>:stateless; </Normal Text><Options Keyword>flags</Options Keyword><Normal Text>:S,</Normal Text><Decimal>12</Decimal><Normal Text>; </Normal Text><Options Keyword>window</Options Keyword><Normal Text>:</Normal Text><Decimal>55808</Decimal><Normal Text>; </Normal Text><Options Keyword>reference</Options Keyword><Normal Text>:mcafee,</Normal Text><Decimal>100406</Decimal><Normal Text>; </Normal Text><Options Keyword>classtype</Options Keyword><Normal Text>:trojan-activity; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>2182</Decimal><Normal Text>; </Normal Text><Options Keyword>rev</Options Keyword><Normal Text>:</Normal Text><Decimal>8</Decimal><Normal Text>;)</Normal Text><br/>
 <Normal Text></Normal Text><br/>
 <Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>$EXTERNAL_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>$HOME_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>flags</Options Keyword><Normal Text>:S,</Normal Text><Decimal>12</Decimal><Normal Text>; </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text>.hdr; </Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>”|02 04|”</String><Normal Text>; </Normal Text><Options Keyword>offset</Options Keyword><Normal Text>:</Normal Text><Decimal>20</Decimal><Normal Text>; </Normal Text><Options Keyword>byte_test</Options Keyword><Normal Text>:</Normal Text><Decimal>2</Decimal><Normal Text>,<,</Normal Text><Decimal>536</Decimal><Normal Text>,</Normal Text><Decimal>0</Decimal><Normal Text>,big,relative; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>1234</Decimal><Normal Text>; </Normal Text><Options Keyword>rev</Options Keyword><Normal Text>:</Normal Text><Decimal>5</Decimal><Normal Text>;)</Normal Text><br/>
 <Normal Text></Normal Text><br/>
 <Comment># Snort Samples</Comment><br/>
 <Normal Text></Normal Text><br/>
 <Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Decimal>192</Decimal><Normal Text>.</Normal Text><Decimal>168</Decimal><Normal Text>.</Normal Text><Decimal>1</Decimal><Normal Text>.</Normal Text><Decimal>0</Decimal><Normal Text>/</Normal Text><Decimal>24</Decimal><Normal Text> </Normal Text><Decimal>111</Decimal><Normal Text> (</Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>"|00 01 86 a5|"</String><Normal Text>; </Normal Text><Options Keyword>msg</Options Keyword><Normal Text>: </Normal Text><String>"mountd access"</String><Normal Text>;)</Normal Text><br/>