alert ip any any -> any any (ip_proto: 11; msg:"IP-PROTO-11: possible backdoor traffic";)

alert ip any any -> any any (ip_proto: 11; offset: 0; content: "|0200|"; msg:"possible DoS/Backdoor traffic";)