alert dns any any -> $HOME_NET any (msg:"INFO [PTsecurity] DNS RRSIG without covered RR (CVE-2016-9147)"; flow:established, from_server; content:"|00 01 00 01|"; offset:4; depth:6; content:"|00 00|"; distance:0; content:"|00 01|"; distance:1; within:2; content:"|00 2E 00|"; fast_pattern; distance:0; pcre:"/.{4,6}\x00\x01\x00\x01.{4}[^\x00]+\x00.{4}[^\x00]+\x00(?:\x2e|\x00\x2e)/"; reference:cve, 2016-9147; reference:url, kb.isc.org/article/AA-01440/74/CVE-2016-9147%3A-An-error-handling-a-query-response-containing-inconsistent-DNSSEC-information-could-cause-an-assertion-failure-.html; classtype:attempted-dos; reference:url, github.com/ptresearch/AttackDetection; sid:10000892; rev:2;)