Continuing the discussion from Grok pattern for snort alerts:
1/03-21:37:12.106096 [] [1:249:8] DDOS mstream client to handler [] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 172.16.0.5:61301 -> 192.168.50.4:15104
Please provide some context to your issue, it is not possible to know what you are trying to do without any context.