Here's the correct one:
<rule id="100001" level="1" >
<decoded_as>iplog</decoded_as>
<description>IPs</description>
<group>ipaddy,</group>
</rule>
<rule id="100002" level="9" frequency="4" timeframe="300">
<if_matched_group>ipaddy</if_matched_group>
<same_source_ip />
<description>Mult-Group ipaddy same IP - 6 in 5min</description>
<group>ipaddy,reoccurring,</group>
</rule>
<rule id="100003" level="7" frequency="4" timeframe="300">
<if_matched_sid>100001</if_matched_sid>
<same_source_ip />
<description>Multiple ipaddy same IP - 6 in 5min</description>
<group>ipaddy,reoccurring,</group>
</rule>
<rule id="100005" level="8" frequency="9" timeframe="600">
<if_matched_sid>100001</if_matched_sid>
<same_source_ip />
<description>Multiple ipaddy same IP - 12 in 10min</description>
<group>ipaddy,reoccurring,</group>
</rule>
