The following example illustrates how to detect non-DNS traffic on port 53. Normally, only DNS or krb5 should show up on port 53.

function flow_proto_mismatch_53 (dpiMsg, ruleEngine)
  local port_dst = GetInt(dpiMsg, 'internal', 'destport')
  if port_dst ~= 53 then
    return false
  end
  local apps = {dns=true, krb5=true}
  local my_application = GetLatestApplication(dpiMsg)
  if not apps[my_application] then
    SetCustomField(dpiMsg, "proto_mismatch", '53')
    TriggerUserAlarm(dpiMsg, ruleEngine, 'medium')
  end
end