Glibc DNS IDS signature

Here is a slightly optimized signature for GLibc's DNS overflow vulnerability (CVE-2015-7547.)  Please adapt to your liking.

alert udp any 53 -> any any (msg:"LP UDP-DNS REPLY OVERFLOW
CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 01 00 01|";
distance:10; pcre:"/\x00\x01\x00\x01(.{2000,})/s";reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html;
classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;)


alert tcp any 53 -> any any (msg:"LP TCP-DNS REPLY OVERFLOW
CVE-2015-7547"; content:"|83 80 00 01|"; content:"|00 1c 00 01|";
distance:10; pcre:"/\x00\x1c\x00\x01(.{2000,})/s";
reference:url,googleonlinesecurity.blogspot.fr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html;
classtype:attempted-admin; sid:%YOUR CHOICE%; rev:1;)