@TCP Errors / RST@tcp.flags.reset == 1@[65535,0,0][65535,65535,65535]
@TCP Retransmission@tcp.analysis.retransmission || tcp.analysis.fast_retransmission@[65535,32768,0][0,0,0]
@TCP Out of Order@tcp.analysis.out_of_order@[65535,55000,0][0,0,0]
@TCP Zero Window@tcp.analysis.zero_window || tcp.analysis.zero_window_probe@[65535,0,65535][65535,65535,65535]
@TCP Duplicate ACK@tcp.analysis.duplicate_ack@[49152,49152,65535][0,0,0]
@TCP SYN / SYN-ACK@tcp.flags.syn == 1@[0,48896,0][65535,65535,65535]
@TCP FIN@tcp.flags.fin == 1 && tcp.flags.syn == 0@[0,32768,32768][65535,65535,65535]
@ICMP Errors@icmp.type >= 3@[65535,16384,16384][0,0,0]
@Low TTL (< 5)@ip.ttl < 5@[65535,40000,0][0,0,0]
@Bad Checksum@ip.checksum.status == 2 || tcp.checksum.status == 2 || udp.checksum.status == 2@[65535,0,65535][65535,65535,65535]
@Malformed Packet@_ws.malformed@[65535,0,0][65535,65535,65535]
@DNS Error (RCODE != 0)@dns.flags.rcode != 0@[56000,40000,0][0,0,0]
@DHCP NAK / Decline@bootp.option.dhcp == 6 || bootp.option.dhcp == 4@[65535,20000,20000][0,0,0]
@ARP Who-Has Flood (> 1 req)@arp.opcode == 1@[50000,65535,50000][0,0,0]
@VoIP RTP@rtp@[40000,40000,65535][0,0,0]
@SIP@sip@[30000,55000,65535][0,0,0]
@HTTP Error (4xx/5xx)@http.response.code >= 400@[65535,50000,30000][0,0,0]
@FTP Control@ftp@[55000,55000,30000][0,0,0]
@Broadcast / Multicast@eth.dst[0] & 1@[45000,45000,45000][0,0,0]
