alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold:type limit, track by_src, seconds 60, count 1; reference:cve,2015-5477; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, cve CVE_2015_5477, confidence Medium, signature_severity Major, updated_at 2023_05_24;)