alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)